Google has filed a lawsuit to dismantle “Lighthouse”, a phishing-as-a-service (PhaaS) platform used by cybercriminals worldwide to steal credit card information through SMS phishing (“smishing”) attacks that impersonate the U.S. Postal Service (USPS) and E-ZPass toll systems.
The lawsuit aims to shut down the website infrastructure supporting the Lighthouse phishing-as-a-service (PhaaS), which Google says has affected over 1 million victims across 120 countries. It is estimated that these types of scams have stolen up to 115 million payment cards in the U.S. alone between July 2023 and October 2024 using these scams.
Google’s lawsuit has brought claims against the Lighthouse platform under federal racketeering and fraud statutes, including the Racketeer Influenced and Corrupt Organizations Act, Lanham Act, and the Computer Fraud and Abuse Act.
Lighthouse PhaaS used in toll and delivery scams
According to Google, Lighthouse offers phishing templates and infrastructure to other cybercriminals, allowing them to send text messages claiming to be from well-known services like USPS or toll payment systems like EZPass.
BleepingComputer has previously reported on such scams after massive phishing campaigns targeted people in the United States, claiming to be from toll authorities.
Source: BleepingComputer
The links in these smishing texts point to sites that impersonate toll authorities that claim the visitor has unsettled toll charges. However, the main goal of these sites is to steal personal information and credit card numbers for use in additional financial fraud.
Source: BleepingComputer
Google says it found at least 107 phishing website templates that feature its own branding to boost the sites’ reputations.
“They exploit the reputations of Google and other brands by illegally displaying our trademarks and services on fraudulent websites,” explains Google.
“We found at least 107 website templates featuring Google’s branding on sign-in screens specifically designed to trick people into believing the sites are legitimate.”
Researchers at Cisco Talos have previously linked Lighthouse to smishing kits developed by the Chinese threat actor known as “Wang Duo Yu,” who operates Telegram channels to sell and support the Lighthouse phishing kits.
Source: Cisco Talos
The phishing platform enables threat actors to send text messages via iMessage (iOS) and RCS (Android), potentially evading spam filters.
Talos reports that since October 2024, multiple threat actors have used Wang Duo Yu’s kits to run toll road scams across the United States, sending fake E-ZPass billing alerts to users in states including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas.
Talos observed thousands of typosquatted domains used in these scams, indicating the operation has continued through 2025.
Netcraft also reported that Wang Duo Yu marketed Lighthouse as a commercial phishing kit, with subscription prices ranging from $88 per week to $1,588 per year.
The platform supported customizable templates that could steal both login credentials and two-factor authentication (2FA) codes.
As first reported by Brian Krebs, the group previously operated under the name “Smishing Triad” before rebranding as Lighthouse in March 2025.
Similar campaigns have been attributed to other Chinese threat actors running phishing-as-a-service platforms, such as Darcula and Lucid.
However, Netcraft says that Lighthouse uses the same ‘LOAFING OUT LOUD’ fake shop template as Lucid, indicating a possible connection between the groups.
Google supports new U.S. policies
Google also announced today the support for several U.S. policy initiatives that aim to protect consumers from scams and foreign-based cybercrime:
- Guarding Unprotected Aging Retirees from Deception (GUARD) Act: Empowers state and local law enforcement to investigate fraud targeting retirees.
- Foreign Robocall Elimination Act: Creates a task force to block illegal robocalls originating overseas.
- Scam Compound Accountability and Mobilization (SCAM) Act: Establishes a national strategy to counter scam compounds and impose sanctions on operators.
Google says it is expanding its use of AI to detect scam messages, adding new protections in Google Messages, and improving account recovery through Recovery Contacts.
The company says it will also continue to provide public education and partnership efforts to help users recognize these types of scams.
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.