Google files landmark lawsuit targeting China-based SMS phishing network

Google went after a massive text message scam operation Wednesday. Over one million people worldwide got hit by these criminals who’ve been sending fake texts to steal personal information.

Security researchers have a name for them: the “Smishing Triad.” Most of the operation’s running out of China. They’ve been hitting people in 120 countries with software called “Lighthouse” that pumps out fake texts designed to steal your info.

Google’s general counsel Halimah DeLaine Prado told CNBC what’s been happening. “They were preying on users’ trust in reputable brands such as E-ZPass, the U.S. Postal Service, and even us as Google,” she said. “The ‘Lighthouse’ enterprise or software creates a bunch of templates in which you create fake websites to pull users’ information.”

Google’s using everything they’ve got. The lawsuit cites the Racketeer Influenced and Corrupt Organizations Act, the Lanham Act, and the Computer Fraud and Abuse Act. They want courts to shut down the criminal operation and destroy the Lighthouse platform.

The scale is massive. Between 12.7 million and 115 million credit cards stolen. That’s just in the U.S.

“The idea is to prevent its continued proliferation, deter others from doing something similarly, as well as protect both the users and brands that were misused in these websites from future harm,” DeLaine Prado said.

Fake websites mimic trusted brands

Google found more than 100 fake website templates using their logo on login screens. Made the sites look legitimate so people wouldn’t get suspicious.

Investigators, both from Google and outside firms, looked into the operation. About 2,500 people connected to this scam were chatting on a public Telegram channel. Recruiting new members, sharing advice, and keeping Lighthouse working. All out in the open, according to DeLaine Prado.

They’ve got it set up like a business. There’s a “data broker” team building lists of who to target. Contact info, everything. The “spammers” send out the actual text messages. Then, a “theft” group takes the stolen login details and uses them for attacks. All coordinated through public Telegram channels.

Google is first major company to sue SMS scammers

Nobody’s filed a lawsuit like this before, Google says. They’re going after SMS phishing directly. But they’re not stopping at the courtroom. Three bills in Congress right now have Google’s support.

“While the lawsuit is one potential vector in which we can disrupt it, we also think that this type of cyber activity requires a policy-based approach,” DeLaine Prado said.

First one’s the Guarding Unprotected Aging Retirees from Deception Act. Second is the Foreign Robocall Elimination Act—would set up a task force targeting illegal robocalls from overseas. Third is the Scam Compound Accountability and Mobilization Act, which goes after scam operations and helps human trafficking survivors in those facilities.

This lawsuit is part of what Google’s been working on to get people aware of online threats. They just rolled out new safety tools. Key Verifier’s one. AI-powered spam detection in Google Messages is another.

The smartest crypto minds already read our newsletter. Want in? Join them.