Sue The Hackers Google Sues Over Phishing as a Service Security Boulevard
pThe Home of the Security Bloggers NetworkppHome Cybersecurity Sue The Hackers Google Sues Over Phishing as a ServiceppWhen something goes wrong after exhausting all other possible alternatives a company may go to its lawyer with the silliest question you can ever ask a lawyer Can I sueThe basic answer is if it moves sue it If it doesnt move move it then sue it And when asked What would I sue for the answer is For a real long timeOf course this is a bit facetious Lawyers are required to have a good faith belief backed by evidence and a reasonable investigation that they have a proper cause of action before filing a lawsuit But civil litigation has increasingly complemented criminal investigations in hacking and related cases Even when getting an award of damages is unlikely civil litigation can result in injunctive relief discovery and help prevent future harmppOn November 12 2025 Google filed a lawsuit in the Southern District of New York against the operators of a massive PhishingasaService platform called Lighthouse It wasnt just trying to make a point It was making a move The complaint reads like a hybrid between a hacking indictment and a racketeering case Lighthouse Google alleged sold readymade phishing kits that impersonated brands like EZPass USPS and Google itself complete with signin screens using Googles trademarks Those kits rented out to criminals worldwide helped steal credentials and credit card data from millions of users Googles legal response Dont just wait for law enforcement Sue the hackersThe companys lawsuit Google LLC v Does 125 No 125cv09421 SDNY filed Nov 12 2025 uses a threepronged legal attack the Computer Fraud and Abuse Act CFAA the Lanham Act trademark law and the Racketeer Influenced and Corrupt Organizations Act RICO Each plays a different role one targeting unauthorized access another targeting brand misuse and a third treating the entire Lighthouse operation as an organized criminal enterprise Googles goal isnt just to win damages its to get injunctions that let it seize or disable the domains servers and hosting accounts that make Lighthouse run In a world where many hackers are overseas and beyond extradition civil courts are becoming a new battlefieldppWhen hackers compromise a companys systems the instinct is to call the FBI or Secret Service Thats appropriate but its also limited most cybercriminals are never prosecuted especially those operating from countries that refuse extradition Civil litigation offers another option The idea is to use existing laws criminal statutes that also provide private rights of action intellectual property protections and even contract law to strike back through the courtsGoogles Lighthouse case is the latest in a line of creative civil suits brought by tech companies that refuse to wait for indictments Microsoft Meta Cisco and others have spent more than a decade using civil law to dismantle infrastructure seize domains and expose actors behind major cyber operationsThe approach is not symbolic its operational Courts can issue injunctions faster than international law enforcement can coordinate arrests and once a domain or hosting provider is under a court order the infrastructure itself can be neutralized In recent years many different strategies have been deployed using various federal or state laws to help private entities go after hackers or other digital threats Here are a fewppThe CFAA 18 USC 1030 is the backbone of antihacking law It criminalizes unauthorized access to protected computers and crucially allows victims to file their own lawsuits Section 1030g lets companies seek damages and injunctive relief if they can show loss or damage from the intrusionMicrosoft used the CFAA to take down multiple botnets including Rustock Zeus and Necurs In Microsoft Corp v John Does 111 2012 WL 5497956 ED Va Nov 13 2012 the court approved an injunction allowing Microsoft to seize servers inside US data centers Those actions crippled spam and credentialstealing networks by rerouting commandandcontrol traffic to sinkhole servers controlled by Microsoft and its partners Googles Lighthouse lawsuit applies the CFAA to a different problem phishing kits and smishing campaigns By alleging that Lighthouses fake Google login pages constitute unauthorized access attempts and cause damage to protected computers Google uses the same law to attack the infrastructure of fraud rather than malware itselfppThe Lanham Act 15 USC 1125a is typically used to stop counterfeit goods or false advertising not cybercrime But in phishing operations brand impersonation is the point of the crime Googles complaint highlights more than a hundred phishing templates bearing Googles logos and userinterface designs By using these marks to deceive victims Lighthouse didnt just commit fraud it violated trademark law Thats a key legal move because trademark violations give US courts the power to seize domains and issue injunctions without needing to prove computer access or hacking intentTrademark law also has a global reach Courts routinely transfer infringing domains and order registrars to shut down counterfeit websites Microsoft Cisco and Meta have all used the Lanham Act in tandem with the CFAA to target domains that impersonate their productsThis tactic reframes phishing and fraud as a form of brand abuse For companies that own globally recognized marks its a way to make trademark law part of cybersecurity responseppThe Racketeer Influenced and Corrupt Organizations Act RICO 18 USC 196168 was designed for organized crime but its found new life in cyber litigation RICO allows private plaintiffs to sue for treble damages when theyre harmed by a pattern of racketeering activity which can include wire fraud identity theft and computer intrusion Microsoft used RICO successfully in its botnet cases Googles Lighthouse lawsuit uses it too arguing that Lighthouse is an enterprise engaged in ongoing criminal activity a service that knowingly enables and profits from phishing Civil RICO cases carry powerful remedies broad injunctive relief asset freezes and discovery tools that can reach intermediaries such as domain registrars and payment processors In effect it turns the hacker ecosystem into a racketeering network allowing companies to target not just the enduser criminals but the infrastructure providers who profit from themppMany states including California have their own computercrime statutes that allow private suits Californias Comprehensive Computer Data Access and Fraud Act Cal Penal Code 502 mirrors the CFAA and often accompanies federal claims Meanwhile contract law provides another option When attackers create fake accounts scrape data or misuse APIs they typically violate the platforms Terms of Service That creates a civil breach of contractIn Facebook Inc v Basafa No 519cv03414 ND Cal 2020 Meta sued Iranian nationals who ran fake Instagram engagement services Because the defendants agreed to Instagrams terms when registering their automated abuse became a breach of contract The court issued a permanent injunction giving Meta the authority to seize and disable their domainsppThe most important takeaway from the Lighthouse case and the decade of litigation that led to it is that civil law is becoming part of the cybersecurity toolkit Security teams already gather the evidence needed for these cases IP addresses phishing domains code samples and transaction data That same evidence can support legal claims that get realworld resultsppThe Lighthouse complaint marks an evolution What began as a fight against spam and botnets has matured into a global legal strategy that treats cybercrime as organized commercial fraud It leverages civil law to do what law enforcement alone cannot disrupt unmask and dismantle at scaleThere is no guarantee Google will ever collect damages or identify the individuals behind Lighthouse But that may not matter The real power lies in the injunctions the ability to get a court order that forces domain registrars and hosting providers to shut the network down In short the case illustrates a new era of active defense through civil litigation In cyberspace where criminal law often stops at the border companies are discovering that the courthouse may be the most effective weapon left All while you work with the FBI and other law enforcement agencies as well ppMark Rasch is a lawyer and computer security and privacy expert in Bethesda Maryland where he helps develop strategy and messaging for the Information Security team
Raschs career spans more than 35 years of corporate and government cybersecurity computer privacy regulatory compliance computer forensics and incident response He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions VES He is recognized author of numerous security and privacyrelated articles Prior to joining Verizon he taught courses in cybersecurity law policy and technology at various colleges and Universities including the University of Maryland George Mason University Georgetown University and the American University School of law and was active with the American Bar Associations Privacy and Cybersecurity Committees and the Computers Freedom and Privacy Conference
Rasch had worked as cyberlaw editor for SecurityCurrentcom as Chief Privacy Officer for SAIC and as Director or Managing Director at various information security consulting companies including CSC FTI Consulting Solutionary Predictive Systems and Global Integrity Corp
Earlier in his career Rasch was with the US Department of Justice where he led the departments efforts to investigate and prosecute cyber and hightechnology crime starting the computer crime unit within the Criminal Divisions Fraud Section efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division He was responsible for various highprofile computer crime prosecutions including Kevin Mitnick Kevin Poulsen and Robert Tappan Morris
Prior to joining Verizon Mark was a frequent commentator in the media on issues related to information security appearing on BBC CBC Fox News CNN NBC News ABC News the New York Times the Wall Street Journal and many other outletsppmark has 235 posts and countingSee all posts by markppppppEnter the destination URLppOr link to existing contentp
Raschs career spans more than 35 years of corporate and government cybersecurity computer privacy regulatory compliance computer forensics and incident response He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions VES He is recognized author of numerous security and privacyrelated articles Prior to joining Verizon he taught courses in cybersecurity law policy and technology at various colleges and Universities including the University of Maryland George Mason University Georgetown University and the American University School of law and was active with the American Bar Associations Privacy and Cybersecurity Committees and the Computers Freedom and Privacy Conference
Rasch had worked as cyberlaw editor for SecurityCurrentcom as Chief Privacy Officer for SAIC and as Director or Managing Director at various information security consulting companies including CSC FTI Consulting Solutionary Predictive Systems and Global Integrity Corp
Earlier in his career Rasch was with the US Department of Justice where he led the departments efforts to investigate and prosecute cyber and hightechnology crime starting the computer crime unit within the Criminal Divisions Fraud Section efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division He was responsible for various highprofile computer crime prosecutions including Kevin Mitnick Kevin Poulsen and Robert Tappan Morris
Prior to joining Verizon Mark was a frequent commentator in the media on issues related to information security appearing on BBC CBC Fox News CNN NBC News ABC News the New York Times the Wall Street Journal and many other outletsppmark has 235 posts and countingSee all posts by markppppppEnter the destination URLppOr link to existing contentp
