A new SMS phishing campaign uncovered in early 2025 is raising the bar for cybercriminal sophistication by weaponizing trusted technologies and advanced evasion tactics.
Group-IB researchers have identified an ongoing attack targeting users of a major toll road service provider, wherein attackers exploit Google’s Accelerated Mobile Pages (AMP) and other legitimate services to bypass automated security detection and ensnare victims.
Threat Actors Exploit Legitimate Platforms and Browser Fingerprinting
The campaign, first observed in late 2023, involves bulk SMS messages purporting to be from a well-known toll system, warning users about alleged unpaid tolls and threatening penalties to create a sense of urgency.
These messages, tailored in the local language and distributed via spoofed numbers, direct users to a phishing website that is a near-perfect replica of the legitimate portal.
Upon clicking “Pay Now,” victims are prompted to divulge personal details and payment card information, all destined to be harvested by cybercriminals.
What sets this campaign apart is its adoption of multi-layered redirection techniques, notably leveraging Google AMP links to mask malicious destinations.
Instead of pointing directly to a suspicious domain, attackers embed phishing URLs within legitimate Google AMP redirects.
This method undermines security solutions reliant on domain reputation and leverages users’ inherent trust in well-known brands, significantly reducing the likelihood of detection or blocking.
Sophisticated Input Validation and Session Tracking Evade Security Filters
Further deepening their evasion strategy, the threat actors employ third-party JavaScript libraries, such as FingerprintJS and Cleave.js, within the phishing sites.
FingerprintJS harvests dozens of device and browser parameters like user agent, screen size, and time zone enabling precise browser fingerprinting.
This is used not only to authenticate “legitimate” visitors and restrict access exclusively to targeted victims, but also to thwart researchers and automated scanners.
Visitors using VPNs or datacenter IPs are denied access, with the site displaying “Access Denied” or remaining in a perpetual loading state, thereby shielding the malicious infrastructure from forensic scrutiny.
JavaScript-based input validation, powered by Cleave.js, further enhances the campaign’s credibility and data collection capabilities.
As victims enter their information, the fields dynamically enforce correct formats for phone numbers, credit card details, and expiration dates.
The credit card input, for example, is checked in real time against the Luhn algorithm, and only those passing validation progress to the next stages.
These sophisticated techniques mimic authentic online payment experiences, all the while routing sensitive data to the attackers’ backend for instant harvesting.
On the backend, session and interaction data are transmitted at regular intervals, enabling real-time tracking of user input and session states.
The campaign’s infrastructure, mapped using Group-IB’s Unified Risk Platform, revealed links between phishing domains and temporary email accounts, highlighting the attackers’ efforts to orchestrate a resilient and well-disguised network.
The use of widely adopted third-party libraries provides a critical advantage to cybercriminals: these scripts are generally trusted by security systems and site visitors alike, allowing phishing pages to appear not only credible but also to evade detection mechanisms looking for custom or obfuscated code.
Encoding phishing URLs in trusted platforms such as Google AMP further amplifies this subterfuge.
As this phishing campaign continues to evolve, experts warn that such tactics present heightened risks to organizations and individuals alike.
Businesses are urged to deploy advanced threat intelligence, proactively educate users, and monitor for brand abuse, while individuals should exercise caution with unsolicited SMS links and verify website authenticity before entering sensitive data.
The rising abuse of legitimate platforms for malicious ends highlights the ever-changing landscape of digital threats and the growing need for vigilance and adaptive security measures.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
