Ddos 
Sample phishing SMS messages | Image: Cisco Talos
A widespread and persistent SMS phishing (smishing) campaign, uncovered by the Cisco Talos team, has been targeting toll road users across at least eight U.S. states since October 2024, aiming to steal payment credentials under the guise of overdue toll bills.
Victims receive SMS alerts impersonating automated toll systems such as E-ZPass, claiming they owe a small toll fee (often under $5) and threatening a late penalty of $35. These messages redirect users to typosquatted domains that mimic real toll services.
After solving a fake CAPTCHA, the user is presented with a fake toll bill and prompted to enter personal and credit card information.
The malicious webpages, adorned with cloned logos and convincing formatting, funnel sensitive data to attackers. Domains tied to the campaign were registered as recently as March 2025, indicating the campaign is still active.
The smishing operation is geotargeted, with Cisco Talos observing spoofed domains linked to residents of:
- Washington
- Florida
- Pennsylvania
- Virginia
- Texas
- Ohio
- Illinois
- Kansas
These state-specific domains exploit regional familiarity to increase credibility and victim engagement.
Cisco Talos ties the toolkit behind this operation to a Chinese developer named Wang Duo Yu, also associated with the “Smishing Triad” group. This actor sells customizable smishing kits and tutorials on Telegram, with pricing structures and support plans for novice cybercriminals.
“Talos assesses with moderate confidence that the toll road smishing attacks are being carried out by multiple financially motivated threat actors using the smishing kit developed by ‘Wang Duo Yu.’”
Wang operates a Telegram channel named “老王同步源码开发教学” (“Lao Wang Synchronized Source Code Development Tutorial”), which includes:
- Phishing modules spoofing U.S. toll systems like EZDriveMA and North Texas Toll Authority
- Tutorials for building web panels, mail servers, and deploying phishing kits
- Private lessons priced at over $800 USD per session
His kits target major entities with broad user bases—banks, toll operators, and postal services—making them ideal tools for mass credential harvesting.
Though unconfirmed, Cisco Talos suspects the campaign may leverage data from publicly leaked datasets to more precisely target victims. The 2024 National Public Data breach is one possible source that exposed billions of personal records.
“Targeting toll road users in multiple states indicates the likelihood of the threat actor leveraging user information publicly leaked from large databases.”
As smishing kits become commercialized and modular, even unsophisticated attackers can now launch state-level impersonation scams. The Cisco Talos report reveals just how deeply these kits are integrated into an underground ecosystem, with actors like Wang Duo Yu monetizing everything from source code to smishing-as-a-service.
“As of March 2025, Talos is still seeing new domains registered by the threat actors… implying that the campaign is ongoing,” Cisco Talos warns.
Related Posts:
- Smishing Triad Expands Fraud Campaign, Targets Toll Payment Services
- Cyber Alert: Smishing Triad Gang’s Fake UAE Authority SMS Scam
- Smishing Triad Targets Pakistan with Large-Scale Banking Scam
- macOS Under Threat: PoC Exploit for CVE-2024-27842 Allows Kernel-Level Code Execution
About The Author
