“$5 SMS Scam Alert: Toll Road Users Targeted in New Phishing Campaign”

Cisco Talos has uncovered an ongoing financial theft campaign targeting toll road users across the United States through SMS phishing, or “smishing,” attacks.

This campaign, active since October 2024, impersonates toll payment services to steal sensitive user information.

The Smishing Scheme Unveiled

The attackers send fraudulent SMS messages claiming that victims owe small amounts—typically under $5—for unpaid tolls.

These messages warn of late fees and direct recipients to spoofed websites designed to mimic legitimate toll service platforms like E-ZPass.

Upon visiting these sites, victims are prompted to solve a fake CAPTCHA before being redirected to a webpage displaying a fabricated bill.

The bill includes the victim’s name and warns of a $35 late payment fee, urging them to proceed with payment.

Once victims click “Proceed Now,” they are taken to another fake page where they are asked to provide personal details such as their name, address, phone number, and credit card information.

This data is then stolen by the threat actors. Cisco Talos has not yet confirmed whether additional malware is delivered through these attacks due to limited visibility into the phishing infrastructure.

Geographic Scope and Techniques

The campaign spans eight states—Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas—identified through spoofed domains containing state-specific abbreviations observed in the SMS messages.

The attackers leverage typosquatted domains registered between October and November 2024 and continue to create new domains for their operations as recently as March 20251.

Connection to Smishing Kits

Talos attributes this campaign to multiple financially motivated threat actors using smishing kits developed by an individual known as “Wang Duo Yu.

” These kits have been previously linked to large-scale smishing attacks targeting mail services like USPS and financial institutions.

Wang Duo Yu operates several Telegram channels and forums promoting smishing kits and offering tutorials on phishing techniques.

His kits are priced between $20 and $50 depending on the features and support provided1.

Infrastructure Insights

The typosquatted domains used in the campaign resolve to specific IP addresses: 45[.]152[.]115[.]161, 82[.]147[.]88[.]22, and more recently 43[.]156[.]47[.]209.

These domains are part of a sophisticated phishing infrastructure designed to deceive victims into providing sensitive information under the guise of legitimate toll payment services.

Potential Data Sources

Talos suspects that publicly leaked user information from large databases may be fueling these attacks.

For instance, the 2024 National Public Data leak exposed billions of records that were shared on private Telegram channels for malicious use.

However, there is currently no direct evidence linking this data breach to the ongoing toll road smishing campaign.

Preventive Measures

Cisco recommends several security solutions to mitigate the risks associated with this threat:

• Cisco Secure Endpoint: Prevents malware execution.
• Cisco Secure Email: Blocks malicious emails.
• Cisco Secure Firewall: Detects malicious activity.
• Cisco Umbrella: Blocks access to malicious domains.
• Cisco Duo: Provides multi-factor authentication.
• Cisco Secure Web Appliance: Tests suspicious sites before access.

Indicators of compromise (IOCs) related to this campaign can be found in Cisco Talos’ GitHub repository for further analysis.

Conclusion

This smishing campaign highlights the growing sophistication of cybercriminals targeting everyday users through seemingly innocuous SMS messages.

Toll road users across multiple states should remain vigilant against unsolicited payment requests and verify any claims directly with official toll service providers.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates