Full Report
Cisco Talos has observed a widespread and ongoing financial theft SMS phishing (smishing) campaign since October 2024 that targets toll road users in the United States of America.
Analysis Summary
# Incident Report: Widespread US Toll Road Smishing Campaign for Financial Theft
## Executive Summary
Since October 2024, Cisco Talos has observed a large-scale, ongoing financial theft campaign utilizing SMS phishing (smishing) targeting toll road users across multiple US states. Attackers impersonate toll services (like E-ZPass) to trick victims into visiting typosquatted domains, ultimately stealing personal identifiable information (PII) and credit card details. The campaign appears to leverage a shared smishing kit developed by an actor known as "Wang Duo Yu," potentially by multiple financially motivated threat groups.
## Incident Details
- Discovery Date: October 2024 (Initial observation period) / April 10, 2025 (Public reporting date)
- Incident Date: Ongoing since mid-October 2024
- Affected Organization: Various US toll road service providers (e.g., E-ZPass systems) are impersonated.
- Sector: Transportation/Financial Services
- Geography: United States (Observed across at least eight states: Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas).
## Timeline of Events
### Initial Access
- Date/Time: Mid-October 2024
- Vector: SMS Phishing (Smishing)
- Details: Attackers send SMS messages claiming outstanding tolls (under $5 USD) and warn of escalating late fees ($35). Messages prompt victims to click a link to a spoofed domain.
### Lateral Movement
* Not explicitly detailed in terms of internal network movement, as the primary goal appears to be immediate credential and financial data harvesting via external phishing sites.
### Data Exfiltration/Impact
- Date/Time: Immediately after redirection to the final phishing page.
- Details: Phishing workflow captures Name, ZIP Code, Address, Phone Number, and Credit Card Information. Potential for further payload delivery at the end of the chain is unknown.
### Detection & Response
- Date/Time: Ongoing observation leading up to April 2025 reporting.
- Details: Detected by Cisco Talos via monitoring of threat infrastructure and intelligence correlating similar attack patterns.
## Attack Methodology
- Initial Access: Smishing using typosquatted domains targeting users of toll payment services (e.g., domains referencing state abbreviations).
- Persistence: Not relevant for this external phishing campaign structure.
- Privilege Escalation: Not relevant for this external phishing campaign structure.
- Defense Evasion: Use of legitimate-looking logos on subsequent phishing pages and low-value ransom amounts to encourage quick user action.
- Credential Access: Direct collection of PII and credit card data on the final form submission page.
- Discovery: Initial reconnaissance likely leverages publicly leaked data (e.g., potential connection to past public data leaks, though not confirmed).
- Lateral Movement: N/A (External website redirection).
- Collection: Name, ZIP code, Address, Phone Number, Credit Card details captured in sequence.
- Exfiltration: Stolen PII/financial data is exfiltrated to threat actor-controlled infrastructure.
- Impact: Financial fraud and PII compromise.
## Impact Assessment
- Financial: Direct financial loss due to unauthorized credit card use. Potential costs linked to remediation and customer notification for impersonated entities.
- Data Breach: High volume of compromised Personal Identifiable Information (PII) and sensitive financial data (Credit Card details).
- Operational: Minimal direct operational impact on toll services, but potential overload or confusion if the scope is large.
- Reputational: Significant reputational risk for the impersonated tolling authorities.
## Indicators of Compromise
- Network indicators (Defanged):
- IP 1: 45\[.\]152\[.\]115\[.\]161
- IP 2: 82\[.\]147\[.\]88\[.\]22
- IP 3: 43\[.\]156\[.\]47\[.\]209
- File indicators: Not specified regarding payloads; focus is on infrastructure.
- Behavioral indicators: SMS delivery purporting to be from toll authorities with low-value outstanding balances.
## Response Actions
- Containment measures: Blocking of observed malicious phishing domains and IPs via security appliances (NGFW, Umbrella, WSA).
- Eradication steps: Cisco products like Secure Malware Analytics can identify associated binaries if secondary payloads exist.
- Recovery actions: Users advised to review financial statements and monitor credit.
## Lessons Learned
- The threat landscape leverages commodity attack tools (smishing kits from "Wang Duo Yu") used by multiple distinct groups, indicating a low barrier to entry for financial smishing.
- Impersonation targeting basic utility services (like tolls) with small outstanding amounts is highly effective for rapid data harvest.
- The success of these campaigns often relies on the use of publicly available compromised data sources to make phishing messages appear highly personalized.
## Recommendations
- Implement layered network security solutions (NGFW, Umbrella) capable of blocking connections to malicious, newly registered typosquatted domains.
- Encourage mandatory Multi-Factor Authentication (MFA) for all critical user accounts to mitigate risk if other phishing campaigns succeed.
- Deploy security analytics (e.g., Cisco Secure Network/Cloud Analytics) to monitor for unusual traffic patterns correlating with credential harvesting attempts originating from user devices.
- Educate users to never click links in unsolicited SMS messages, regardless of the purported urgency or amount due.