Full Report
Google has filed a complaint in court that details the scam: In a complaint filed Wednesday, the tech giant accused “a cybercriminal group in China” of selling “phishing for dummies” kits. The kits help unsavvy fraudsters easily “execute a large-scale phishing campaign,” tricking hordes of unsuspecting people into “disclosing sensitive information like passwords, credit card numbers, or banking information, often by impersonating well-known brands, government agencies, or even people the victim knows.” These branded “Lighthouse” kits offer two versions of software, depending on whether bad actors want to launch SMS and e-commerce scams. “Members may subscribe to weekly, monthly, seasonal, annual, or permanent licenses,” Google alleged. Kits include “hundreds of templates for fake websites, domain set-up tools for those fake websites, and other features designed to dupe victims into believing they are entering sensitive information on a legitimate website.”...
Analysis Summary
# Threat Actor: Unnamed Cybercriminal Group in China (Lighthouse Kit Sellers)
## Attribution & Identity
* **Identification:** A "cybercriminal group in China" accused by Google in a court filing.
* **Aliases/Associated Groups:** The group is identified by the name of the primary tool/service they sell: **"Lighthouse"** kits. No known formal threat group names are provided in this context.
## Activity Summary
The primary activity described is the **commercial resale of phishing infrastructure and toolkits** designed to facilitate large-scale phishing campaigns for less technical fraudsters ("phishing for dummies"). These kits are used to impersonate well-known brands, government agencies (e.g., USPS, E-Z Pass), or even known individuals.
## Tactics, Techniques & Procedures
* **T1566.001 (Phishing: Spearphishing Attachment)**: While SMS is explicitly mentioned, the broader context is phishing campaign execution.
* **T1566.002 (Phishing: Spearphishing Link)**: Victims are prompted to click links leading to fake websites.
* **T1583.003 (Infrastructure: Domains)**: Selling tools for domain setup for fake websites.
* **T1588.002 (Develop Capabilities: Phishing Kits)**: Selling complete phishing kits branded as "Lighthouse."
* **T1590.001 (Reconnaissance: Compromise Accounts)**: Targeting credentials such as passwords, credit card numbers, and banking information.
* **T1566.003 (Phishing - SMS/Smishing)**: One version of the kit specifically targets SMS scams (e.g., toll fee overdue or package redelivery notices).
* **T1566.004 (Phishing - E-commerce Scams)**: The second version targets e-commerce related fraud.
## Targeting
* **Sectors:** Undetermined, primarily targeting *consumers* based on the nature of the impersonations (USPS, E-Z Pass).
* **Geography:** Implied focus on regions where brands like USPS and E-Z Pass operate (likely the US), given the examples used in the scams initiated by the kit users.
* **Victims:** Unsuspecting individuals targeted via SMS or web ads, tricked into disclosing sensitive personal and financial information.
## Tools & Infrastructure
* **Malware/Tools:** **"Lighthouse" Phishing Kits.**
* Includes hundreds of templates for fake websites.
* Includes domain set-up tools.
* Offers two software versions for SMS and e-commerce scams.
* Subscription model for access (weekly, monthly, seasonal, annual, permanent).
* **Infrastructure:** Fake websites designed to appear legitimate, sometimes using payment methods like Google Pay branding to establish trust. The group also leveraged advertising networks, including potentially Google Ads, until accounts were suspended.
## Implications
This activity represents a **lowering of the barrier to entry for cybercrime**, allowing less technically sophisticated actors to conduct effective, large-scale, brand-impersonating phishing campaigns. The commercialization of these kits indicates a persistent, professionalized underground economy supporting global fraud.
## Mitigations
* **Filter and block known phishing indicators:** Organizations and service providers must continue to actively detect and suspend accounts/websites associated with Lighthouse kit campaigns.
* **Public awareness campaigns:** Educate end-users on recognizing SMS and web links spoofing major brands and government agencies (USPS, E-Z Pass, etc.).
* **Monitor underground forums:** Track sales and licensing advertisements for "Lighthouse" kits and similar phishing tooling subscriptions.
* **Impersonation Takedowns:** Rapidly respond to reports of brand impersonation across SMS gateways and web platforms.