Highway Robbery 2.0: How Attackers Are Exploiting Toll Systems in Phishing Scams
Essential information
- Published
- 10/03/2025 13:04
- Modified
- 12/03/2025 07:54
- Tags
- 2025-03-10 chinese asns domain spoofing e-zpass imessage infrastructure analysis nginx sms phishing sunpass toll systems txtag
- Related entities
- 9 techniques (mitre), 2 others
Description
A massive SMS phishing campaign targeting U.S. drivers exploits various toll systems, including E-ZPass, SunPass, and TxTag. The scam uses fake payment alerts sent via iMessage and SMS from foreign numbers to lure victims to fraudulent websites. Analysis reveals a pattern in domain names and infrastructure, with most phishing sites hosted on Chinese ASNs like Tencent and Alibaba Cloud. The campaign employs nginx web servers and constantly shifts tactics to evade detection. Over 2,000 complaints have been filed with the FBI's Internet Crime Complaint Center, prompting warnings from the FTC and toll authorities. The scam's effectiveness stems from the inconsistency in legitimate toll collection domain names, making it challenging for users to distinguish between real and fake websites.