
A sophisticated phishing campaign has exploited compromised Indiana state government accounts to distribute fraudulent toll collection messages via GovDelivery, targeting unsuspecting users with a highly convincing fake TxTag portal.
The Indiana Office of Technology (IOT) and Trustwave SpiderLabs have both issued alerts following the emergence of phishing emails that appear to originate from legitimate Indiana government email addresses. These emails falsely claim users owe toll charges and contain links redirecting to malicious phishing websites designed to steal sensitive data.
“The Indiana Office of Technology (IOT) is aware of fraudulent messages purportedly sent by state agencies about collecting tolls. These messages are scams, and users should not click on any of the links,” IOT warned. “The State does not send unpaid toll notifications via text or email messages.”
The phishing campaign used compromised GovDelivery sender addresses (e.g., DLGF@public.govdelivery.com) to deliver emails that convincingly mimicked Indiana government notices, urging recipients to visit a TxTag site to resolve supposed unpaid tolls.
“TxTag users are the target of a recent email phishing attack sent from compromised Indiana Government senders via GovDelivery,” explained Trustwave SpiderLabs.
The attack lured users into visiting a fake TxTag domain (txtag-us.xyz/login), where victims were prompted to enter:
- Full contact information
- Credit card numbers
- One-time passcodes (OTP)
The phishing site not only harvested sensitive data but also leveraged WebSocket connections (wss://txtag-us.xyz/sync-message) to track sessions in real-time, amplifying its potential for fraud.
“The phishing site sends stolen information through POST requests and maintains a WebSocket connection for real-time session tracking,” Trustwave SpiderLabs noted.
The IOT clarified that the state’s contract with the delivery vendor ended on December 31, 2024, but the associated account was not decommissioned. A contractor’s account was later hacked and used to send the malicious emails.
Fortunately, the IOT confirmed that no state systems were compromised in the incident.
Organizations using third-party platforms like GovDelivery must ensure proper offboarding, access control, and incident detection.
Recommendations:
- Never click on links from unsolicited toll collection emails or texts.
- Verify toll-related notices through official government portals only.
- Use multi-factor authentication (MFA) and monitor third-party access accounts.
- Monitor for suspicious network connections, especially outbound WebSocket sessions.