A sophisticated phishing campaign has swept across the United States, leveraging SMS phishing (smishing) and deceptive web infrastructure to pose as official state Departments of Motor Vehicles (DMVs).
This large-scale operation has effectively harvested personal and financial information from unsuspecting citizens by deploying alarming text messages about fake unpaid toll violations, which directed victims to highly convincing, cloned DMV websites.
Cloned Web Infrastructure
Victims received messages from spoofed phone numbers ostensibly from local DMV authorities warning of severe consequences such as license suspension or legal action due to unpaid tolls.
Many of these messages originated from phone numbers traced to the Philippines, making extensive use of SMS spoofing to enhance their legitimacy.
In some cases, attackers turned to obscure email domains to widen the campaign’s reach.
To reinforce the appearance of authenticity, these smishing texts regularly cited fabricated legal codes, instructing targets to resolve minor fines by following embedded links.
Upon clicking, targets landed on fake DMV portals that mirrored official state branding and urged prompt resolution of fictitious penalties.
Following an initial payment step, the landing pages requested extensive personally identifiable information (PII) including full names, addresses, contact details, and complete credit card information.
The campaign’s technical forensics revealed a structured approach: malicious domains followed a consistent naming convention, such as “https://[state_ID]dmv.gov-[string].cfd/pay,” and were primarily hosted on a known malicious IP address, 49.51.75[.]162.
Notably, six HTML files corresponded to key states New York, New Jersey, California, Florida, Texas, Pennsylvania, and Georgia and showcased nearly identical frontend assets: JavaScript, CSS, and graphical elements, further indicating the use of a centralized phishing kit for rapid, at-scale deployment.
Attribution and Public Response
Technical indicators strongly suggest the campaign’s orchestration by a China-based threat actor. All associated phishing domains utilized DNS infrastructure provided by alidns.com, with registration contacts referencing [email protected] both links to Chinese operations.
Source code audits revealed Chinese-language comments, reinforcing these attribution claims.
The phishing methodology, infrastructure choices, and kit reuse align with known “phishing-as-a-service” models advertised in Chinese cybercrime forums.
According to Check Point research Report, this DMV campaign stands as one of the most expansive smishing attacks in recent memory, with thousands of domains targeting citizens across multiple states.
According to the FBI’s Internet Crime Complaint Center (IC3), more than 2,000 complaints regarding similar toll-related scams were logged in a single month, with actual figures likely higher due to the scam’s low transaction value and high believability.
High-profile media coverage and coordinated advisories from state transportation agencies have helped raise public awareness.
States including New York, California, Texas, and New Jersey urgently warned residents against engaging with suspicious texts, emphasizing that toll violations are never addressed via unsolicited messages.
Cybersecurity firms, government IT teams, and telecom providers have since mobilized to block malicious domains, improve SMS filtering, and distribute threat intelligence about phishing indicators, domain patterns, and hosting infrastructure.
End users are urged to navigate directly to official DMV websites, never trust payment requests via unsolicited messages, and report suspicious communications.
On the organizational side, advisories stress the importance of DNS blocking for high-risk TLDs, implementation of email authentication protocols, and active sharing of threat intelligence to thwart future attacks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
 and deceptive web infrastructure.){kind=link}