How Phishing-as-a-Service Scams Exploited USPS and E-Z Pass: The Lighthouse Case
Executive Summary
In 2025, Google filed a legal complaint against a China-based cybercriminal group alleged to have developed 'Lighthouse' Phishing-as-a-Service (PaaS) kits. These kits empower low-skilled actors to execute widespread smishing (SMS phishing) and e-commerce scams by providing templates, domain setup tools, and fake websites mimicking trusted brands such as USPS and E-Z Pass. Victims are lured via texts about overdue fees or package deliveries, redirecting them to realistic phishing sites that harvest credentials and financial information. The campaign leveraged legitimate ad platforms and payment methods, increasing its reach and credibility.
The incident underscores the rising threat and sophistication of PaaS offerings, which lower the barrier for cybercrime and accelerate the proliferation of phishing campaigns. As threat actors streamline attack automation and mimic reputable organizations, enterprises must adapt with real-time detection, segmented network defenses, and stronger authentication measures.
Why This Matters Now
Phishing-as-a-Service operations like 'Lighthouse' are driving an unprecedented scale of credential theft and fraud, making such attacks more accessible and convincing than ever. Their rapid evolution and ability to evade standard security controls pose immediate risks to organizations, consumers, and critical infrastructure, urging a swift upgrade of security posture and user awareness programs.
Attack Path Analysis
Attackers leveraged Phishing-as-a-Service kits to distribute branded SMS and web-based phishing lures, tricking victims into visiting fake login or payment sites (Initial Compromise). Captured credentials and payment data enabled adversaries to escalate privileges, potentially compromising additional user or cloud resources (Privilege Escalation). If internal access was achieved, attackers could move laterally across cloud or application boundaries using harvested credentials (Lateral Movement). Stolen information and ongoing control were maintained by exfiltrating additional data via covert outbound web connections (Command & Control). Sensitive data—including authentication tokens, passwords, and financial details—was exfiltrated to attacker infrastructure (Exfiltration), which ultimately resulted in financial loss, account takeover, or other downstream fraud against victims (Impact).
Kill Chain Progression
Initial Compromise
Description
Attackers used phishing kits to create convincing fake sites and SMS lures, redirecting users to malicious, branded websites to harvest credentials and payment information.
MITRE ATT&CK® Techniques
Phishing: Spearphishing via Email
Phishing: Spearphishing via Service
Spearphishing Link
User Execution: Malicious Link
Obtain Capabilities: Tool
Hide Artifacts: File and Directory Names
Email Collection
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protection of Sensitive Authentication Data
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA ZTMM 2.0 – Identity Verification and Credential Management
Control ID: Identity Pillar: 1.1
NIS2 Directive – Technical and Organizational Measures (Awareness and Training)
Control ID: Article 21 (2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Package/Freight Delivery
Direct targeting through fake USPS package redelivery scams exploiting trusted delivery brands, requiring enhanced egress security and threat detection capabilities.
Transportation
E-Z Pass toll scam impersonation threatens customer trust and payment systems, necessitating zero trust segmentation and encrypted traffic protection measures.
Financial Services
Phishing-as-a-Service kits target banking information and payment credentials, demanding multicloud visibility and anomaly detection for transaction monitoring compliance.
Internet
Google's complaint highlights platform exploitation through malicious ads and domain spoofing, requiring cloud firewall protection and inline IPS capabilities.
Sources
- Scam USPS and E-Z Pass Texts and Websiteshttps://www.schneier.com/blog/archives/2025/11/scam-usps-and-e-z-pass-texts-and-websites.htmlVerified
- Google sues China-based hackers it says stole $1 billionhttps://www.tomshardware.com/tech-industry/cyber-security/google-sues-chinese-hacker-group-it-says-stole-usd1-billion-from-a-million-victims-in-121-countries-lighthouse-platform-offers-phishing-services-to-crooks-for-a-monthly-feeVerified
- Google lawsuit accuses China-based cybercriminals of massive text-message phishing scamshttps://www.cbsnews.com/news/google-lawsuit-text-message-phishing-attacks/Verified
- Google sues to dismantle Chinese phishing platform behind US toll scamshttps://www.bleepingcomputer.com/news/security/google-sues-to-dismantle-chinese-phishing-platform-behind-us-toll-scams/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, egress policy enforcement, threat detection, and identity-aware controls would have restricted the adversary’s ability to leverage compromised credentials, intercept east-west movement, and block the exfiltration of sensitive data, disrupting multiple stages of the attack kill chain.
Control: Cloud Firewall (ACF)
Mitigation: Blocked malicious domains and phishing lures at the cloud perimeter.
Control: Zero Trust Segmentation
Mitigation: Restricted movement and privilege escalation with identity-based policies.
Control: East-West Traffic Security
Mitigation: Detected and blocked unauthorized lateral movement attempts.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked or alerted on unauthorized outbound traffic to known bad destinations.
Control: Inline IPS (Suricata)
Mitigation: Detected and terminated identified exfiltration flows.
Detected anomalous access and enabled rapid response to limit user impact.
Impact at a Glance
Affected Business Functions
- Customer Service
- Payment Processing
- Logistics Management
Estimated downtime: 7 days
Estimated loss: $1,000,000,000
The Lighthouse phishing-as-a-service platform facilitated the theft of sensitive personal and financial information from over one million victims across 121 countries, including between 12.7 million and 115 million U.S. credit cards.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce granular egress policies and URL filtering to block access to phishing infrastructure and malicious sites.
- • Implement Zero Trust Segmentation to prevent privilege escalation and lateral movement, even if credentials are compromised.
- • Apply East-West Traffic Security to restrict and monitor workload-to-workload communication within cloud and hybrid environments.
- • Deploy intrusion prevention and anomaly detection to identify and respond to abnormal data flows and potential exfiltration at network speed.
- • Centralize visibility and incident response across multicloud resources to ensure rapid containment and continuous compliance monitoring.
