Full Report
Cybersecurity researchers are warning of a "widespread and ongoing" SMS phishing campaign that's been targeting toll road users in the United States for financial theft since mid-October 2024. "The toll road smishing attacks are being carried out by multiple financially motivated threat actors using the smishing kit developed by 'Wang Duo Yu,'" Cisco Talos researchers Azim Khodjibaev, Chetan
Analysis Summary
# Incident Report: Widespread US Toll Road SMS Phishing Campaign
## Executive Summary
A widespread and ongoing SMS phishing (smishing) campaign has been targeting toll road users across multiple US states since mid-October 2024, impersonating services like E-ZPass to solicit unpaid toll fees. Financially motivated threat actors are utilizing phishing kits, notably one developed by an individual identified as "Wang Duo Yu," to trick victims into clicking malicious links, bypassing security controls, and ultimately stealing personal and financial information through fraudulent payment pages. Response efforts primarily involve platform blocking of fraudulent domains, though the high volume and use of sophisticated, adaptable kits complicate containment.
## Incident Details
- Discovery Date: Mid-October 2024 (Campaign ongoing; public analysis from late 2024/early 2025)
- Incident Date: Began mid-October 2024
- Affected Organization: Various road toll collection organizations (e.g., E-ZPass users)
- Sector: Transportation/Financial Services
- Geography: United States (Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, Kansas)
## Timeline of Events
### Initial Access
- Date/Time: Mid-October 2024 onwards
- Vector: SMS Phishing (Smishing) via SMS and Apple iMessages.
- Details: Messages falsely claiming unpaid tolls, urging users to click a link.
### Lateral Movement
*Not explicitly detailed, as the attack focuses on immediate credential/financial theft on the landing page.*
### Data Exfiltration/Impact
- Victims prompted to navigate fake E-ZPass pages after solving CAPTCHAs.
- Personal information (name, ZIP code) and financial information (credit/debit card details) are siphoned to threat actors.
- Captured card details are also exfiltrated to the kit creator ("double theft").
- Attempted enrollment of phished card details into mobile wallets (potentially leveraging Ghost Tap).
### Detection & Response
- **Detection:** Identified by cybersecurity researchers (Cisco Talos, Brian Krebs, PRODAFT, Resecurity) tracking the campaign and associated phishing kits (Wang Duo Yu's kit, Lighthouse).
- **Response Actions:** Efforts focused on blocking the high volume of fraudulent domains being generated (over 60,000 tracked by Resecurity). Apple iMessage's default link disabling required actors to use a "Y" response tactic to activate links.
## Attack Methodology
- **Initial Access:** Smishing via SMS/iMessage impersonating toll collection agencies.
- **Persistence:** Not explicitly detailed, focus is on an immediate financial fraud mechanism.
- **Privilege Escalation:** Not applicable to this fraud scenario.
- **Defense Evasion:** Use of bulk SMS services for massive scale; requiring active victim response ("Y") to bypass Apple iMessage link security features.
- **Credential Access:** Social engineering leading victims to input data on subsequent fake payment forms.
- **Discovery:** Attackers rely on bulk targeting based on geographical use of toll roads.
- **Lateral Movement:** Not applicable.
- **Collection:** Harvesting of Name, ZIP Code, and Credit/Debit Card details.
- **Exfiltration:** Data sent to threat actors via the fraudulent web infrastructure; card data also sent to the kit creator ("double theft").
- **Impact:** Financial theft via direct data siphoning and potential mobile wallet enrollment.
## Impact Assessment
- **Financial:** Direct theft from compromised cards; costs associated with remediation for toll agencies or victims (unquantified).
- **Data Breach:** Personally Identifiable Information (PII) and full payment card data.
- **Operational:** Minimal direct operational impact on toll agencies, high nuisance/risk to affected users.
- **Reputational:** Damage to the trust in official electronic toll collection systems.
## Indicators of Compromise
- **Network indicators:** Use of numerous fraudulent domains spoofing E-ZPass (e.g., `ezp-va[.]lcom`, `e-zpass[.]com-etcjr[.]xin`).
- **File indicators:** Phishing kits developed by Wang Duo Yu (Lighthouse kit).
- **Behavioral indicators:** SMS/iMessage luring users with unpaid toll notifications; required response of "Y" to activate links if using iMessage.
## Response Actions
- **Containment:** Monitoring and blocking of the actively generated fraudulent domains by security vendors and platforms (Apple/Google).
- **Eradication:** Not possible against the global kit distributors; focus is on removing deployed fraudulent sites.
- **Recovery:** Victims must cancel compromised cards and monitor accounts.
## Lessons Learned
- **Evolving Evasion Tactics:** Threat actors are adapting social engineering to bypass platform security, such as exploiting the iMessage "reply to activate" vector.
- **Supply Chain Risk in Cybercrime:** The proliferation of sophisticated, commercially available phishing kits (Wang Duo Yu) enables multiple, independent financially motivated actors to conduct large-scale, effective fraud.
- **Scale of Domain Generation:** The use of over 60,000 spoofed domains highlights the difficulty standard blocking mechanisms have in keeping pace with high-velocity fraud operations supported by bulk SMS services.
## Recommendations
- **Multi-Factor Authentication (MFA):** Encourage users to enable MFA on all financial accounts, even if card numbers are compromised.
- **User Awareness:** Continuous education on verifying communication authenticity, especially regarding time-sensitive requests for payments or personal data via SMS/iMessage.
- **Proactive Domain Blocking:** Increased cooperation between telecommunication providers and security firms to preemptively block bulk SMS services used by known organized crime groups like Smishing Triad.
- **Implement Anti-Ghost Tap Measures:** Financial institutions should review card provisioning processes to detect suspicious automated enrollment into mobile wallets.