Global technology giant Google, LLC, is bringing legal action against an alleged international cyber-criminal group that it claims has harmed Google’s reputation as well as its customers by stealing their personal and financial information through Internet scams.
While Google is still unaware of the true names of the group of defendants, the litigation indicates they are based in China.
In a case filed on Nov. 12 in the U.S. District Court for the Southern District of New York, Google is seeking an injunction to stop the criminal group, referred to in the lawsuit as “DOES 1-25.” The lawsuit claims that together, the group swindled thousands of victims out of millions of dollars and also hurt Google through the unauthorized use of its trademarks and services.
The litigation describes the phishing attacks disguised as ads, emails, or text messages alerting unsuspecting consumers to some type of problem with a delivery, an unpaid toll, or an E-commerce website that is actually fraudulent. Once customers click on the payment link, they lose not only their money, but all of their private information. The sites often mention a phony Google Pay option.
The lawsuit states that the defendants rely on a phishing software kit called “Lighthouse,” which offers users a “phishing for dummies” plan in exchange for a monthly licensing fee. The plan allegedly includes hundreds of templates for fake websites, domain set–up tools and other features to lure in consumers.
“The scale of Lighthouse phishing attacks is staggering. In a 20-day period, approximately 200,000 fraudulent websites created using Lighthouse were used to attract well over 1,000,000 potential victims in at least 121 countries,” the lawsuit states.
Google contends that as a result, up to 115 million credit cards may have been compromised in the United States alone. These Lighthouse-supported websites receive an average of 50,000 page visits daily.
Google claims that actions by the Lighthouse Enterprise and its group of cyber-criminals have also caused both financial and reputation damage to the company, and it has been devoting “substantial resources” to investigate and deal with this criminal activity.
“Defendants have incorporated Google logos into spoofed websites that are used to solicit victims’ personal financial information in New York and throughout the United States,” the lawsuit states. It also describes the defendants’ activities as “intentional, wrongful and illegal.”
The litigation describes how each faction of the Lighthouse Enterprise functions to accomplish its elaborate phishing schemes. It identified five specific groups: The Developer Group, which supplies the phishing software; The Data Broker Group, supplying the lists of potential targets; The Spammer Group, setting up the tools to send the fraudulent messages in volume; The Theft Group, which helps to monetize stolen information; and The Administrative Group, which runs an online community for collaboration and recruitment of new members.
One of Lighthouse’s most popular game plans includes the “Fake Delivery Scheme,” where scammers pretend to represent the U.S. Postal Service and request that consumers pay a fee in order to ensure delivery of their package.
A “Toll Scheme” involves a fake bill from toll collectors such as E-ZPass. Financial Institution Schemes aim to coax consumers to log into a phony website mimicking their bank to gain access to their account information. Another popular scam is the E-Commerce Scheme, which directs unsuspecting consumers to a fake website with bogus products.
“The Enterprise uses online advertising platforms—including Google Ads—to create ads that distribute links to their fraudulent e-commerce websites,” the lawsuit states. “Google has suspended Google Ads accounts that it has identified as being associated with the Enterprise.”
In addition to seeking damages from the Defendants, Google is also petitioning for a restraining order against the Defendants and their officers, agents and employees, as well as anyone in active participation with them.