Cisco Talos researchers have found a major smishing campaign targeting U.S. toll road users. Active since October 2024, the scam tricks people with fake toll payment messages to steal personal and financial details.
All about the Smishing Campaign
The smishing campaign uses simple but convincing tricks. Victims get text messages saying they owe a small toll fee, usually under $5, and warning about high late charges. The message includes a link to a fake website that looks like a real toll service, using names and state abbreviations like “FL” or “TX” to seem legit.
When users click the link, they’re taken to a fake site with official-looking logos, such as EZPass. The site asks them to solve a CAPTCHA and enter basic info like name and ZIP code. It then shows a fake toll bill with warnings about late penalties.
Clicking “Proceed Now” takes them to another fake page where they’re asked to enter personal details, including address, phone number, and credit card info—all of which are stolen by the attackers.
Cisco Talos found that this smishing campaign is likely run by financially motivated cybercriminals using phishing kits created by someone named “Wang Duo Yu.” These kits, shared on Telegram and underground forums, let attackers easily target toll systems, banks, and postal services.
The tools are customizable, making it easy to launch attacks across different states. Many of the fake websites were registered in late 2024, with activity still seen in March 2025. The attackers’ setup is well-organized, showing a high level of planning and coordination.
Implications and Security Measures
This smishing campaign highlights the growing risk of SMS phishing and the need for users to stay alert. Attackers are using leaked personal data from past breaches to make their messages more convincing, though there’s no confirmed link to any specific breach like the 2024 National Public Data leak.
People should be cautious with SMS payment requests and avoid clicking on suspicious links. Legitimate toll services usually don’t send bills by random text messages. It’s safer to check any toll payments directly on the official toll road websites.
Cybersecurity experts and authorities are urging companies to improve their defenses. Cisco recommends using tools like Secure Endpoint, Secure Firewall, and Umbrella to block these threats. Other helpful steps include using multi-factor authentication, monitoring network traffic, and setting up secure web gateways.
As attackers get smarter, protecting against smishing scams requires both awareness and strong security tools. By educating users and using the right cybersecurity solutions, organizations can reduce the risk of personal and financial data being stolen.
IOCs
wa-gtg[.]com
goodtogo-wa[.]com
wagood-togo[.]com
gtgwa[.]com
mygood-2go[.]com
tollwa[.]com
wagtg[.]com
ws-gtg[.]com
ws-dot[.]com
fl-road[.]com
fl-pass[.]com
pass-fl[.]com
tx-account[.]com
tx-road[.]com
oh-route[.]com
link-pa[.]com
lane-pa[.]com
plate-pa[.]com
gov-pa[.]com
pa-plate[.]com
ilroad[.]com
iltolls[.]com
va-route[.]com
ezp-va[.]com
va-toll[.]com
toll-va[.]com
va-ez[.]com
va-lane[.]com
ks-lane[.]com
ks-drive[.]com
lane-ks[.]com
e-zpass[.]com-etcjr[.]xin
e-zpassny[.]com-etkh[.]xin
e-zpass[.]vipsm[.]xin
e-zpass[.]vipss[.]xin
txtag[.]vipnd[.]top
txtag[.]vipnu[.]top
txtag[.]vipso[.]top
txtag[.]vipsf[.]top
82[.]147[.]88[.]22
45[.]152[.]115[.]161
43[.]156[.]47[.]209
Leave A Comment