Full Report
Google has filed a civil lawsuit in the U.S. District Court for the Southern District of New York (SDNY) against China-based hackers who are behind a massive Phishing-as-a-Service (PhaaS) platform called Lighthouse that has ensnared over 1 million users across 120 countries. The PhaaS kit is used to conduct large-scale SMS phishing attacks that exploit trusted brands like E-ZPass and USPS to
Analysis Summary
# Threat Actor: Unnamed China-Based Hackers (Associated with Lighthouse PhaaS)
## Attribution & Identity
* **Attribution:** China-based hackers.
* **Known Aliases/Groups:** Associated with the operators of the **Lighthouse** Phishing-as-a-Service (PhaaS) platform. Their activity is linked to the broader interconnected cybercrime ecosystem operating out of China, and they align with the targeting patterns of the **Smishing Triad** syndicate. The article notes that Lighthouse operates independently of the *XinXin group* but aligns with *Lucid*.
## Activity Summary
The actors operate a massive Phishing-as-a-Service (PhaaS) platform named **Lighthouse**. They are being sued by Google in the SDNY for running this platform, which has allegedly tricked over 1 million users across 120 countries. The platform has been active long enough to illegally obtain more than a billion dollars over the past three years.
## Tactics, Techniques & Procedures
* **Delivery Mechanism:** Conduct large-scale SMS phishing (smishing) attacks, often utilizing Apple iMessage and Google Messages' RCS capabilities.
* **Monetization/Platform:** Operate a PhaaS platform (Lighthouse) where templates are licensed to users for fees ranging from $88 (weekly) to $1,588 (yearly).
* **Brand Impersonation:** Illegally display trademarks and services of trusted brands on fraudulent websites (e.g., at least 107 website templates featured Google's branding on sign-in screens).
* **Lures:** Use phishing lures related to fake toll fees (e.g., E-ZPass) or package deliveries (e.g., USPS).
* **Infrastructure:** Utilize interconnected infrastructure that aligns with other PhaaS platforms like Darcula and Lucid.
## Targeting
* **Sectors:** General public (as end-users of services) and brands whose reputation is leveraged for impersonation. Specific targeted services mentioned include electronic tolls, mail/delivery services, banks, and cryptocurrency exchanges.
* **Geography:** Global, ensnaring users across **120 countries**, with significant focus on the U.S.
* **Victims:** Over **1 million users** have been ensnared by the platform.
## Tools & Infrastructure
* **Malware Families/Kits:** **Lighthouse** PhaaS kit. (Also references broader ecosystem tools like Ghost Tap, though not explicitly tied to the Lighthouse operators themselves).
* **Infrastructure:** Licensing templates associated with Lighthouse. The platform is linked to over 17,500 phishing domains targeting 316 brands.
* **Legal Action Focus:** Google's lawsuit specifically targets the underlying infrastructure under RICO, the Lanham Act, and the Computer Fraud and Abuse Act.
## Implications
The operation represents a highly industrialized, commercially scaled cybercrime effort enabled by the PhaaS model, leading to significant financial theft (estimated over $1 billion USD over three years) and large-scale brand compromise. The collaboration within the Chinese PhaaS ecosystem (Lighthouse/Lucid) suggests a dynamic and evolving threat landscape concentrating on SMS-based social engineering.
## Mitigations
* **Infrastructure Disruption:** Legal action is being taken to dismantle the underlying infrastructure (as evidenced by Google's lawsuit).
* **Brand Protection:** Organizations need to proactively monitor for and respond to trademark infringement within phishing template catalogs and related domain registration.
* **User Education:** Organizations and users must be wary of unsolicited links received via SMS, especially those related to toll fees or package delivery requiring sign-ins or financial confirmation.