Cybersecurity researchers uncovered a far-reaching phishing campaign exploiting the trust U.S. citizens place in their state Departments of Motor Vehicles (DMVs).
The campaign, characterized by sophisticated SMS phishing tactics (smishing) and meticulously crafted clone websites, sought to illicitly gather sensitive personal and financial data from unsuspecting victims across several states.
Attackers impersonated state DMVs through convincing SMS alerts, which were delivered in bulk from spoofed numbers that frequently appeared local, though many originated from the Philippines.
The fraudulent messages typically warned recipients of supposed unpaid toll violations, referencing fictitious legal codes (such as “[State-Name] Administrative Code 15C-16.003”) and threatening escalatory legal action to induce urgency.
According to Check Point research Report, victims were directed to links embedded in these messages, which led to deceptive websites mimicking the branding and user interface of the legitimate DMV portals for their respective states.
Coordinated Smishing Attacks Imitate State Agencies
Once routed to the counterfeit websites hosted predominantly under domains structured as “https://[state_ID]dmv.gov-[4-letter-string].cfd/pay” users were told they had outstanding toll fines and were prompted to pay a nominal fee.
Following payment, the sites would prompt for personal information including full name, address, email, phone number, and credit card credentials, all purportedly for identity verification.
Technical analysis revealed a highly organized campaign with thousands of uniquely registered phishing domains, a substantial portion of which were tied to the known malicious IP address 49.51.75[.]162.
Additional investigation showed that six HTML templates were being reused and adapted for different states most notably Pennsylvania, Georgia, Texas, California, New Jersey, New York, and Florida.
These sites widely employed low-cost, easily registered top-level domains such as [.cfd] and [.win].
Chinese-Linked Infrastructure
The campaign’s infrastructure exhibited further signs of centralization, including the consistent use of alidns.com and dns8.alidns.com as nameservers, and a common SOA contact address, [email protected], strongly linking the operation to Chinese domain services.
Digital asset fingerprinting discovered the persistent use of specific JavaScript, CSS, and image files suggesting deployment of a standardized phishing kit, likely designed to streamline the mass creation and management of fake DMV portals.
Notably, source code analysis found Chinese-language comments, cementing suspicions of a Chinese-speaking threat actor.
Evidence further correlated with known behavioral patterns associated with the “Lighthouse” phishing kit, historically used in previous DMV-focused attacks.
Federal and state authorities reacted swiftly, as the campaign’s scope became clear through widespread media coverage by outlets including CBS News, Fox News, and Time Magazine.
Public advisories were disseminated through official DOT and DMV channels in affected states, warning citizens not to trust unsolicited text messages regarding toll violations and outlining proper reporting protocols for suspected scams.
The FBI’s Internet Crime Complaint Center (IC3) received over 2,000 complaints tied to this form of smishing in a single month, a figure that only hints at the true breadth of the campaign, given the low dollar amount ($6.99) often at risk and the believable nature of the scam materials.
In response, cybersecurity stakeholders including federal agencies, state IT teams, telecom carriers, and industry vendors collaborated to distribute threat intelligence, blacklist malicious domains, enhance SMS phishing filters, and strengthen public awareness campaigns.
The incident underscores the evolving sophistication of cybercriminal groups targeting critical U.S. infrastructure and the persistent need for vigilance and proactive defense against social engineering threats leveraging government impersonation.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
