Google is taking a multi-pronged approach to stopping a widespread global smishing operation that targeted more than a million victims through text messages warning about undelivered packages at U.S. Postal Services or UPS centers or unpaid E-ZPass toll fees.

The IT giant said last week that it had filed a lawsuit in hopes of dismantling the Lighthouse phishing-as-a-service (PhaaS) kit that’s been used by a cybercrime group collectively called Smishing Triad.

A day later, Google’s general counsel, Halimah DeLaine Prado, said in an email sent to media outlets that there were indications that the lawsuit already was interrupting Lighthouse’s operations, calling it “a win for everyone. We will continue to hold malicious scammers accountable and protect consumers.”

Google added that a screenshot of a message written in Chinese and posted by the threat actors said that their “cloud server has been blocked due to malicious complaints.”

Racking Up Victims, Credit Cards

Lighthouse has been in operation since 2023, and over the past two years, it had collected more than a million victims from more than 120 countries and stealing between 12.7 million and 115 million credit cards in the United States, Prado wrote in a blog post. It was a five-fold increase in such attacks since 2020.

Security vendors have been tracking the operation since it emerged on the scene, with Resecurity writing in 2023 that “the Chinese-speaking threat actors behind this campaign are operating a package-tracking text scam sent via iMessage to collect personally identifying information (PII) and payment credentials from victims, in the furtherance of identity theft and credit card fraud.”

The threat group behind Lighthouse was named Smishing Triad because of its use of smishing – phishing via SMS text messages – tactics. Initially the attackers focused on packing-tracking messages. However, in another report earlier this year, Resecurity tied Smishing Triad to a surge in fake text message claiming that those targeted owed money either because of unpaid toll bills or could make payment through toll services FasTrak, E-ZPass, and I-Pass.

In both the undelivered package and unpaid toll scams, the goal was to convince victims to steal victims’ personal and payment information when they paid what they believed were legitimate charges.

An Evolving Threat

Threat researchers with Palo Alto’s Unit 42 wrote last month that Smishing Triad’s operation was more extensive and complex than what had been reported and that it was continuing to evolve its operations by growing its international reach and improving its social engineering tactics. It also was expanding the range of services it impersonated to include banking, cryptocurrency platforms, e-commerce, healthcare, law enforcement, and social media.

“The campaign is highly decentralized, lacking a single point of control, and uses a large number of domains and a diverse set of hosting infrastructure,” the Unit 42 researchers wrote, noting that they had identified more than 194,000 malicious domains linked to this operation since the beginning of 2024. “Although these domains are registered through a Hong Kong-based registrar and use Chinese nameservers, the attack infrastructure is primarily hosted on popular U.S. cloud services.”

Silent Push researchers also noted Smishing Triad’s ongoing growth, writing earlier this year that it had targeted organizations in at least 121 countries, was introducing a banking-focused Lighthouse phishing kit, and bragged that it had least 300 “front desk staff worldwide” supporting the Lighthouse kit. They also said the number of smishing messages sent each day by Smishing Triad was likely significantly more than the estimated 100,000 and that the group rotated its domains, with tens of thousands of them being live each day.

Google’s Prado wrote that the company’s “legal action is designed to dismantle the core infrastructure of this operation. We are bringing claims under the Racketeer Influenced and Corrupt Organizations Act, the Lanham Act, and the Computer Fraud and Abuse Act to shut it down, protecting users and other brands.”

Supporting Congressional Bills

At the same time, Google also working with members of Congress to support three pending bills aimed at protecting U.S. citizens against the scams. One is designed to let states use federal grants to investigate financial fraud and scams that target retirees, while another would create a taskforce that would investigate how to block robocalls that originate in another country before they reach Americans.

The third would create a national strategy to address scams compounds, which are massive sites that lure people from other countries with such trickery as fake job ads and force them to participate in a range of scams, from those similar to what Smishing Triad runs to romance and investment scams.

In addition, Google launched new features that include using AI to detect and flag common scam messages like take toll fees or package deliveries.