Full Report
Google has filed a lawsuit to dismantle the "Lighthouse" phishing-as-a-service platform used by cybercriminals worldwide to steal credit card information through SMS phishing attacks impersonating the U.S. Postal Service and E-ZPass toll systems. [...]
Analysis Summary
# Threat Actor: Lighthouse Phishing-as-a-Service (PhaaS) Operators
## Attribution & Identity
* **Primary Identification:** The operators of the "Lighthouse" platform.
* **Known Alias/Attribution:** Linked to the Chinese threat actor known as **"Wang Duo Yu"** who operates Telegram channels to sell and support the kits.
* **Historical Name:** The group previously operated under the name **"Smishing Triad"** before rebranding to Lighthouse in March 2025.
* **Associated Groups:** Possible connection to the operators of the **"Lucid"** PhaaS platform, as Lighthouse uses the same `_LOAFING OUT LOUD_` fake shop template.
## Activity Summary
Lighthouse is a commercial Phishing-as-a-Service (PhaaS) platform designed to facilitate large-scale SMS phishing (smishing) campaigns globally. The platform provides templates and infrastructure to affiliates to steal credit card information and personal data.
* **Recent Campaigns (Post-Oct 2024):** Multiple threat actors used Wang Duo Yu's kits to run massive toll road scams across the United States, sending fake E-ZPass billing alerts.
* **Scale:** The platform has purportedly affected over 1 million victims across 120 countries. Smishing campaigns using these techniques have reportedly stolen up to 115 million payment cards in the U.S. between July 2023 and October 2024.
## Tactics, Techniques & Procedures
* **Delivery Method:** SMS Phishing (Smishing).
* **Messaging Vector:** Sending text messages via iMessage (iOS) and RCS (Android) potentially to evade spam filters.
* **Impersonation:** Impersonating trusted entities such as the **U.S. Postal Service (USPS)** and **E-ZPass toll systems**.
* **Infrastructure Use:** Providing phishing templates and supporting website infrastructure to subscribers.
* **Credential Harvesting:** Phishing sites are designed to steal personal information and credit card numbers.
* **Advanced Capability:** The platform supports customizable templates capable of stealing login credentials *and* **two-factor authentication (2FA) codes**.
* **Evasion/Deception:** Exploiting brand reputations by displaying trademarks (including *Google's branding*) on fraudulent sign-in screens to appear legitimate.
* **Domain Usage:** Utilizing thousands of **typosquatted domains** to host malicious sites.
* **MITRE ATT&CK IDs:** (No specific IDs were provided in the article, but this activity relates heavily to **T1566.001** - Phishing: Spearphishing Link).
## Targeting
* **Sectors:** Services related to Delivery/Logistics (USPS) and Transportation/Toll Authorities (E-ZPass). Financial services are indirectly targeted via stolen payment card data.
* **Geography:** Worldwide impact, affected victims in **120 countries**. Specific targeting observed in the **United States**, including states like Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas.
* **Victims:** General consumers who use USPS delivery services or pay tolls via E-ZPass.
## Tools & Infrastructure
* **Platform Name:** Lighthouse PhaaS.
* **Associated Tools:** Phishing kits developed by Wang Duo Yu, supporting iMessage and RCS delivery.
* **Infrastructure:** Website infrastructure for phishing pages, offered as a service. At least 107 proprietary phishing website templates featuring Google's branding were noted.
* **Communication/Sales Channel:** Telegram channels used by Wang Duo Yu for marketplace operations.
* **Pricing Model:** Commercial subscription model, ranging from $88 per week to $1,588 per year.
## Implications
The Lighthouse operation represents a professionalized global cybercrime ecosystem designed for mass financial fraud. By operating as a PhaaS platform, it significantly lowers the barrier to entry for entry-level criminals, leading to massive scales of credential harvesting (including 2FA codes), directly impacting consumer financial security and eroding trust in essential service providers like postal services and toll agencies. Google's lawsuit indicates a significant disruption effort targeting the primary infrastructure provider.
## Mitigations
* **Security Awareness:** Educate users about smishing tactics, specifically alerts regarding unsettled toll charges or delivery issues from USPS/E-ZPass.
* **Link Verification:** Train users to never click links in unsolicited SMS messages and to manually navigate to official websites (e.g., E-ZPass portal) to check balances.
* **Platform Monitoring:** Utilize advanced detection mechanisms (like Google’s AI tools) to detect and block messages utilizing brand impersonation across SMS/RCS platforms.
* **Infrastructure Takedown:** Continued legal and technical efforts to dismantle PhaaS platforms and their affiliated hosting infrastructure (as demonstrated by Google's lawsuit).