Scam USPS and E-Z Pass Texts and Websites

Google has filed a complaint in court that details the scam:

In a complaint filed Wednesday, the tech giant accused “a cybercriminal group in China” of selling “phishing for dummies” kits. The kits help unsavvy fraudsters easily “execute a large-scale phishing campaign,” tricking hordes of unsuspecting people into “disclosing sensitive information like passwords, credit card numbers, or banking information, often by impersonating well-known brands, government agencies, or even people the victim knows.”

These branded “Lighthouse” kits offer two versions of software, depending on whether bad actors want to launch SMS and e-commerce scams. “Members may subscribe to weekly, monthly, seasonal, annual, or permanent licenses,” Google alleged. Kits include “hundreds of templates for fake websites, domain set-up tools for those fake websites, and other features designed to dupe victims into believing they are entering sensitive information on a legitimate website.”

Google’s filing said the scams often begin with a text claiming that a toll fee is overdue or a small fee must be paid to redeliver a package. Other times they appear as ads—­sometimes even Google ads, until Google detected and suspended accounts—­luring victims by mimicking popular brands. Anyone who clicks will be redirected to a website to input sensitive information; the sites often claim to accept payments from trusted wallets like Google Pay.

Tags: , , , ,

Posted on November 20, 2025 at 7:07 AM4 Comments

Comments

KC November 20, 2025 11:23 AM

Ars Technica: ‘Lighthouse schemes have resulted in losses of over a billion dollars.

Oddly enough, Lighthouse is also the name of a Google open source tool for web developers.

I hark back to the time Russia fined Google for $20,000,000,000,000,000,000,000,000,000,000,000.

Brian Krebs reported that the e-crime group behind Lighthouse has had something close to 25,000 active phishing domains rotating over an 8-day period. Half of them hosted by Tencent and Alibaba. Krebs’ article also has a link to the lawsuit.

Clive Robinson November 20, 2025 4:00 PM

@ ALL,

I must admit I find all these lawsuits some what amusing.

China for instance does not recognise US court decisions in the main and Trumpetta or equivalent throwing toys out of the pram is not going to change that.

The US believes quite incorrectly that it has world wide dominion for it’s legislation and writ, when in reality other countries will just ignore it.

Thus the acid question is,

“What in reality has actually of any note been achieved?”

A fun thing people can do is work out “how anything can be done” then see if it can be made to work across foreign boarders if the foreign country decides to,

“Not play, with the USA”

Basically it all comes down to what is in effect,

“A Balkanization of the Internet.”

Which will hurt the US Silicon Valley Mega Corps thus the US economy, more than it will the foreign country.

Which then only leaves the US with,

1, Gun boat diplomacy
2, Invasion and coup
3, Forced change of political leadership.

I guess we are going to have to “wait and see” what actually plays out…

iPass November 21, 2025 8:15 AM

@Clive

Is this any different than the EU Commission? They don’t legislate the world anymore? No more GPDR popups!

Clive Robinson November 21, 2025 9:46 AM

@ iPass, ALL,

With regards the EU GDPR and UK version of the GDPR… They don’t apply globally, just to those who are citizens within the EU&UK and those businesses and agencies carrying out activities in the EU&UK involving the details of those in the EU&UK.

So all within the EU&UK where the EU&UK legislators have lawfull and legal jurisdiction.

The fact you see,

“GPDR popups!”

Outside of the EU&UK jurisdictions is due to those supplying the service not the “EU Commission” you are seeing the popup on.

Further if you are in North America you will find that the Governments there previously signed the “Safe Harbour” Treaties with the EU. And the service providers the American Government was responsible for were then caught repeatedly breaking the rules.

The fact American legislators willfully chose not to act lawfully was the reason the GDPR was brought in, in the first place… And the fine system used is actually fair when you see how the US Service providers in particular try to “off shore” things in often questionable if not unlawful Tax Avoidant ways so they do not pay taxes where they should.

So if the American Corporates actually paid their dues then the fine system would have been significantly different.

But other jurisdictions are now bringing in similar legislation and fine systems to the GDPR… So I can only assume that they see American Corporates in the same bad behaviour light.

I think it’s safe to say that in some small part the “downer” on VPN systems the EU is exhibiting is due to these tax avoidant corps.

Because the next logical step is to block all the American Corps traffic when they transgress.

Will such activities kill American Social media, probably not but it will kick them in “the pain points”.

In effect like it or not American Corps are going to cause, or drive forward, or both, the “Balkanization of the Internet” with their unlawful rapacious ways.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.