Long arm of the law finally starts to thwart smishing

How legal action and technology are trying to shut down global SMS phishing schemes

Takeaways

• Google filed a lawsuit against the Smishing Triad cybercrime group, targeting their phishing-as-a-service platform, Lighthouse, using the RICO Act, Lanham Act, and Computer Fraud and Abuse Act.
• Lighthouse has been operating since 2023 and is responsible for collecting millions of credit card numbers, with a fivefold increase in attacks since 2020 affecting victims in over 120 countries.
• Google is collaborating with Congress on pending legislation to better equip states and agencies to fight scams, including measures for investigating financial fraud, stopping international robocalls and addressing scam compounds.
• Google has enhanced its platform with AI tools to proactively detect and flag common scam messages, such as those related to toll fees or package deliveries.

There has been a lot of grousing over the years about the limited recourse that has been afforded by the legal system given the simple fact that cyberattacks can originate from almost anywhere. All too often, there has been precious little anyone can do to stop these attacks because the countries where they were launched from are not especially concerned about the impact they might have beyond their borders.

However, once in a great while some faith in the legal system is restored. As part of a multi-pronged effect to thwart a global smishing operation that targeted more than a million victims using text messages warning about undelivered packages or unpaid E-ZPass toll fees to solicit personal information and credit card numbers, Google filed a lawsuit that seeks to dismantle a phishing-as-a-service (PhaaS) platform known as Lighthouse that has been used by a cybercrime group dubbed Smishing Triad to launch these campaigns.

Impact of Google’s lawsuit against Smishing Triad

Specifically, Google has brought a claim under the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act and the Computer Fraud and Abuse Act to shut down Lighthouse. As part of this effort, Google also shared a message posted by the entity host Lighthouse that in Chinese said a “cloud server has been blocked due to malicious complaints.”

It’s not clear how that disruption was achieved because Lighthouse and other providers of similar PhaaS platforms make use of multiple cloud service providers, but the assumption is that providers of the cloud services used to launch these attacks are not all that keen to be named in a lawsuit. As a result, it would appear that cloud service providers are now paying more attention to how these syndicates are taking advantage of the infrastructure they make available and, just as importantly, moving to block that traffic.

Unfortunately, a lot of havoc has already been wrought. Lighthouse has been in operation since 2023, and over the past two years, it has collected between 12.7 million and 115 million credit cards in the United States. All told, there has been a fivefold increase in such attacks since 2020, impacting victims in more than 120 countries.

Legislative action and AI innovation strengthen anti-scam efforts

In addition to using existing laws to bring the perpetrators of these scams to justice, Google also revealed it is working with members of Congress to pass three pending bills aimed at protecting U.S. citizens against scams.

One is designed to let states use federal grants to investigate financial fraud and scams that target retirees, while another would create a task force that would investigate how to block robocalls that originate in another country before they reach Americans. The third would create a national strategy to address scam compounds, which are massive sites that lure people from other countries into participating in online scams involving everything from romance to financial investments.

Finally, Google has also added to its platform an ability to leverage artificial intelligence (AI) to detect and flag common scam messages involving, for example, toll fees or package deliveries.

Growing pressure to combat online scams

It’s too early to say what impact all these efforts will have on making the internet safer for the average unsuspecting citizen, but at the very least a message is being sent — particularly to internet and cloud service providers that might one day find themselves being accused of violating RICO statues should it ever be proven they knew how their services were being used by malicious actors.

The simple sad truth of the matter is that while it takes some effort to determine who owns the IT infrastructure used to launch these scams, it’s not impossible to determine. The issue then becomes having the force of will to not only inform the providers of these services of how they are being misused, but also making it clear they will ultimately be held accountable.