A sophisticated phishing campaign leveraging fake unpaid toll notifications has emerged as a significant threat, targeting mobile users across the globe.
These scams, commonly referred to as “smishing” (SMS phishing), exploit text messages to deceive victims into revealing sensitive information or making fraudulent payments.
Unlike traditional phishing methods, these scams have evolved to include messages impersonating state toll road operators, claiming unpaid toll fees and threatening fines or license suspension if recipients fail to respond.
The deceptive messages often lack live links, instead prompting victims to reply.
Once engaged, attackers send a live phishing domain link tailored for the victim’s region and device type.
Researchers have traced the infrastructure supporting this operation to tens of thousands of domains hosted primarily in China.
Phishing-as-a-Service: Lucid’s Role in Scaling Attacks
The backbone of this scam lies in a new phishing-as-a-service (PhaaS) platform called Lucid.
This platform enables cybercriminals to launch large-scale phishing campaigns with minimal effort.
Lucid offers subscription-based services that allow affiliates to generate bulk iMessage and Android RCS messages, create unique domains and landing pages, and deploy time-limited URLs for each victim.
Its advanced features include:
- Dynamic targeting: Adjustments based on victims’ IP addresses for location-specific attacks.
- Device-specific focus: Tailored campaigns for iOS or Android users.
- Evasion techniques: Blocking connections from non-targeted regions and preventing direct access to phishing domains.
Lucid’s control panel provides real-time monitoring of victim interactions, enabling attackers to capture sensitive data such as login credentials and credit card details.
The platform’s anti-detection features make it challenging for traditional security tools to identify these scams.
The Scale and Success of Toll Scams
The toll scam campaigns powered by Lucid have proven alarmingly effective, achieving a success rate of approximately 5%, which is significantly higher than typical email phishing attacks.
Federal authorities, including the FBI and FTC, have reported a nationwide surge in complaints related to these scams since early 2024.
The proliferation of cashless toll systems and reliance on smartphones for transactions has made this type of fraud particularly lucrative.
Censys researchers have also highlighted the role of other PhaaS platforms like Darcula and EvilProxy in similar campaigns.
These platforms provide tools for cloning legitimate websites, bypassing multi-factor authentication (MFA), and evading detection through advanced obfuscation techniques.
The emergence of platforms like Lucid underscores the growing sophistication of cybercrime operations.
The subscription-based model lowers barriers for entry, enabling even low-skilled attackers to launch targeted campaigns.
As these platforms evolve, they are expected to refine their tactics further, introducing new lures and exploiting additional vulnerabilities.
Victims are advised to remain vigilant against unexpected text messages claiming unpaid tolls or other financial obligations.
Key preventive measures include avoiding clicking on suspicious links, verifying the legitimacy of messages directly with relevant authorities, and employing robust security solutions like phishing-resistant MFA.
With the cybercriminal underground thriving, these scams highlight the urgent need for enhanced cybersecurity awareness and defenses against increasingly complex phishing threats.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
