Google is asking to a US court for help in dismantling the infrastructure behind the Lighthouse phishing-as-a-service operation, the latest effort by a technology company to use the legal system to put a dent in cybercrime.
Whether it will do more than that is an open question.
In a blog Monday, Google’s general counsel Halimah DeLaine Prado said the court action is needed because the gang behind this scam exploits Google and other brands by illegally displaying their trademarks and services on fraudulent websites.
“We found at least 107 website templates featuring Google’s branding on sign-in screens specifically designed to trick people into believing the sites are legitimate,” she wrote.
Threat actors who buy access to the Lighthouse service send text messages to people, including employees of organizations, with branding appearing to come from a legitimate provider. They hope the branding is convincing enough to induce an unwary person to click a link and share information such as email credentials, banking information and more.
Many court orders sought
Google’s action follows that of other technology companies, most notably Microsoft, as well as some countries, to dampen the efforts of threat actors through the courts. For example, in September, Microsoft got a court order allowing it to seize 338 websites associated with the distribution of RacoonO365, a phishing kit used to steal Microsoft 365 credentials. Since July 2024, RaccoonO365’s kits have been used to steal at least 5,000 Microsoft credentials from people in 94 countries, the company said.
In January, Microsoft got a US court order allowing it to seize a website behind a foreign-based threat actor distributing tools for bypassing safety guardrails of generative AI services of several tech companies, including its own. The threat actor’s software exploited exposed customer credentials scraped from public websites.
And in August, the US Justice Department announced coordinated actions against the BlackSuit (Royal) Ransomware group which included the takedown of four servers and nine domains, with the help of the FBI and international law enforcement agencies in the United Kingdom, Germany, Ireland, France, Canada, Ukraine, and Lithuania.
However, threat actors can be resilient. For example, in 2020 Microsoft, Symantec, ESET, communications provider NTT, and Lumen Technologies combined with others to get a US court order directing web hosting providers to take down the IT infrastructure distributing the Trickbot botnet. But according to researchers at Huntress, TrickBot is still being used by threat actors for remote access.
The Google blog also said the company is urging the US Congress to adopt the Guarding Unprotected Aging Retirees from Deception (GUARD) Act, which would enable state and local law enforcement to utilize federal grant funding to investigate financial fraud and scams specifically targeting retirees; the Foreign Robocall Elimination Act, which would establish a taskforce focused on how to best block foreign-originated illegal robocalls before they ever reach American consumers; and the Scam Compound Accountability and Mobilization (SCAM) Act, which would develop a national strategy to counter scam compounds, enhance sanctions, and support survivors of human trafficking within these compounds. Scam compounds are physical installations where significant transnational criminal organizations carry out cyber-enabled fraud operations, frequently using the forced labor of victims of human trafficking
Google refused a request for an interview to get more details about its announcement, explaining it had nothing more to say beyond DeLaine Prado’s blog.
Will have ‘minimal impact’
Ed Dubrovsky, chief operating officer of incident response firm Cypher, is skeptical of the effectiveness of court action. Phishing-as-a-service operations don’t have to be on American soil, he explained, so court orders and legislation will likely have minimal impact on smishing or phishing attacks.
“However,” he added, “I can understand that even small steps can lead to broader impact, and that might be why Google is taking these steps.”
But this and similar court actions won’t change threat actor behavior or the need for IT departments to have controls to face cyber risks, he said.
Kellman Meghu, principal security architect at Canadian incident response firm DeepCove Cybersecurity, believes Google and other tech firms around the world are looking to the courts and legislatures in part to stop scams, but also to protect themselves from being sued if they can shut down a criminal online service.
“The reality now is that there is very little to no risk to running scams,” he told CSO in an email, “since the chance of suffering any ramifications is barely a reality. [Running a malicious online operation] gives attackers the chance to just keep trying things until eventually something works. Driving real legislation and legal impacts that can span borders would be very valuable to reduce this threat, if in fact they can build legislation that is effective, and could go a long way in reducing the risk of constant attempts to compromise users.”
But global efforts to fight cybercrime can only be effective if tech companies around the world work with governments to share information on cyber crime, he added.
However, he doubts many competitive technology suppliers would join an effort because they have a vested interest in saying that they are safer, better, faster than the competition, so they can sell more services.
‘Any reduction in scams would help IT departments’
Johannes Ullrich, dean of research at the SANS Institute, said Google has a huge problem with scammers paying for ads that direct victims to fraudulent websites and malware. “Any reduction in these scams would be a significant help to IT departments,” he said, “making it easier to defend networks against these scams.”
The proposed US legislation doesn’t necessarily add any substantial new barriers for scammers, he added, but it would provide more funding for state and local law enforcement agencies that are often overwhelmed by complaints from victims of cybercrime.
On the other hand, he argued that robocalls could be fought more effectively by telecommunication providers, without new legislation, and they have taken some steps to do so.
The issue of scam compounds is likely not going to be significantly affected by any legislation, as they are too ephemeral and agile and would easily evade sanctions, he added.
“Among the issues mentioned, the paid-for Google ads advertising malicious resources is by far the most significant problem for security teams,” Ullrich said. “Google must step up its game in blocking them, and finding legal ways to eradicate the origin may be more effective than the current ‘whack the mole’ tactic, which is not working.”