{"id":5773,"date":"2025-11-13T02:36:02","date_gmt":"2025-11-13T02:36:02","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5773"},"modified":"2025-11-13T02:36:02","modified_gmt":"2025-11-13T02:36:02","slug":"google-asks-us-court-to-shut-down-lighthouse-phishing-as-a-service-operation","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5773","title":{"rendered":"Google asks US court to shut down Lighthouse phishing-as-a-service operation"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Google is asking to a US court for help in dismantling the infrastructure behind the Lighthouse phishing-as-a-service operation, the latest effort by a technology company to use the legal system to put a dent in cybercrime.<\/p>\n

Whether it will do more than that is an open question.<\/p>\n

In a blog Monday, Google\u2019s general counsel Halimah DeLaine Prado said<\/a> the court action is needed because the gang behind this scam exploits Google and other brands by illegally displaying their trademarks and services on fraudulent websites.<\/p>\n

\u201cWe found at least 107 website templates featuring Google\u2019s branding on sign-in screens specifically designed to trick people into believing the sites are legitimate,\u201d she wrote.<\/p>\n

Threat actors who buy access to the Lighthouse service send text messages to people, including employees of organizations, with branding appearing to come from a legitimate provider. They hope the branding is convincing enough to induce an unwary person to click a link and share information such as email credentials, banking information and more.\u00a0<\/p>\n

Many court orders sought<\/h2>\n

Google\u2019s action follows that of other technology companies, most notably Microsoft, as well as some countries, to dampen the efforts of threat actors through the courts. For example, in September, Microsoft got a court order allowing it to seize 338 websites <\/a>associated with the distribution of RacoonO365, a phishing kit used to steal Microsoft 365 credentials. Since July 2024, RaccoonO365\u2019s kits have\u00a0been used to steal at least 5,000 Microsoft credentials from people in 94 countries, the company said.<\/p>\n

In January, Microsoft got a US court order allowing it to seize a website<\/a> behind a foreign-based threat actor distributing tools for bypassing safety guardrails of generative AI services of several tech companies, including its own. The threat actor\u2019s software exploited exposed customer credentials scraped from public websites.<\/p>\n

And in August, the US Justice Department announced coordinated actions<\/a> against the BlackSuit (Royal) Ransomware group which included the takedown of four servers and nine domains, with the help of the FBI and international law enforcement agencies in the United Kingdom, Germany, Ireland, France, Canada, Ukraine, and Lithuania.\u00a0<\/p>\n

However, threat actors can be resilient. For example, in 2020 Microsoft, Symantec, ESET, communications provider NTT, and Lumen Technologies combined with others to get a US court order<\/a> directing web hosting providers to take down the IT infrastructure distributing the Trickbot botnet. But according to researchers at Huntress<\/a>, TrickBot is still being used by threat actors for remote access.<\/p>\n

The Google blog also said the company is urging the US Congress to adopt the Guarding Unprotected Aging Retirees from Deception (GUARD) Act, which would enable state and local law enforcement to utilize federal grant funding to investigate financial fraud and scams specifically targeting retirees; the Foreign Robocall Elimination Act, which would establish a taskforce focused on how to best block foreign-originated illegal robocalls before they ever reach American consumers; and the Scam Compound Accountability and Mobilization<\/a> (SCAM) Act, which would develop a national strategy to counter scam compounds, enhance sanctions, and support survivors of human trafficking within these compounds. Scam compounds are physical installations where significant transnational criminal organizations carry out cyber-enabled fraud operations, frequently using the forced labor of victims of human trafficking<\/p>\n

Google refused a request for an interview to get more details about its announcement, explaining it had nothing more to say beyond DeLaine Prado\u2019s blog.<\/p>\n

Will have \u2018minimal impact\u2019<\/h2>\n

Ed Dubrovsky<\/a>, chief operating officer of incident response firm Cypher, is skeptical of the effectiveness of court action. Phishing-as-a-service operations don\u2019t have to be on American soil, he explained, so court orders and legislation will likely have minimal impact on smishing or phishing attacks.<\/p>\n

\u201cHowever,\u201d he added, \u201cI can understand that even small steps can lead to broader impact, and that might be why Google is taking these steps.\u201d<\/p>\n

But this and similar court actions won\u2019t change threat actor behavior or the need for IT departments to have controls to face cyber risks, he said.<\/p>\n

Kellman Meghu,<\/a> principal security architect at Canadian incident response firm DeepCove Cybersecurity, believes Google and other tech firms around the world are looking to the courts and legislatures in part to stop scams, but also to protect themselves from being sued if they can shut down a criminal online service.<\/p>\n

\u201cThe reality now is that there is very little to no risk to running scams,\u201d he told CSO in an email, \u201csince the chance of suffering any ramifications is barely a reality. [Running a malicious online operation] gives attackers the chance to just keep trying things until eventually something works. Driving real legislation and legal impacts that can span borders would be very valuable to reduce this threat, if in fact they can build legislation that is effective, and could go a long way in reducing the risk of constant attempts to compromise users.\u201d<\/p>\n

But global efforts to fight cybercrime can only be effective if tech companies around the world work\u00a0with governments to share information on cyber crime, he added.<\/p>\n

However, he doubts many competitive technology suppliers would join an effort because they have a vested interest in saying that they are safer, better, faster than the competition, so they can sell more services.<\/p>\n

\u2018Any reduction in scams would help IT departments\u2019<\/h2>\n

Johannes Ullrich,<\/a> dean of research at the SANS Institute, said Google has a huge problem with scammers paying for ads that direct victims to fraudulent websites and malware. \u201cAny reduction in these scams would be a significant help to IT departments,\u201d he said, \u201cmaking it easier to defend networks against these scams.\u201d<\/p>\n

The proposed US legislation doesn\u2019t necessarily add any substantial new barriers for scammers, he added, but it would provide more funding for state and local law enforcement agencies that are often overwhelmed by complaints from victims of cybercrime.<\/p>\n

On the other hand, he argued that robocalls could be fought more effectively by telecommunication providers, without new legislation, and they have taken some steps to do so.<\/p>\n

The issue of scam compounds is likely not going to be significantly affected by any legislation, as they are too ephemeral and agile and would easily evade sanctions, he added.<\/p>\n

\u201cAmong the issues mentioned, the paid-for Google ads advertising malicious resources is by far the most significant problem for security teams,\u201d Ullrich said. \u201cGoogle must step up its game in blocking them, and finding legal ways to eradicate the origin may be more effective than the current \u2018whack the mole\u2019 tactic, which is not working.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Google is asking to a US court for help in dismantling the infrastructure behind the Lighthouse phishing-as-a-service operation, the latest effort by a technology company to use the legal system to put a dent in cybercrime. Whether it will do more than that is an open question. In a blog Monday, Google\u2019s general counsel Halimah […]<\/p>\n","protected":false},"author":0,"featured_media":5774,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5773","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5773"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5773"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5773\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5774"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5773"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5773"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5773"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}