Brian Krebs of the Krebs on Security blog did a big piece leading with how residents across the U.S. are being flooded with fraudulent text messages impersonating toll road operators like E-ZPass and SunPass, warning recipients of supposed unpaid toll fees. Researchers say the surge in SMS phishing scams coincides with new capabilities added to a commercial phishing kit sold in China, allowing cybercriminals to mimic official toll payment websites with alarming accuracy.
The Massachusetts Department of Transportation (MassDOT) recently issued a warning about phishing attacks targeting EZDriveMA, the state’s electronic tolling program. Victims who fall for the scam are asked to enter their payment card details and later provide a one-time password (OTP)—a tactic aimed at bypassing two-factor authentication and linking stolen cards to digital wallets.
Similar phishing attempts have surfaced in Florida, Texas, California, Colorado, Connecticut, Minnesota, and Washington. The attacks appear to follow the release of a new module for “Lighthouse,” a China-based SMS phishing service, which now includes fake websites spoofing multiple U.S. toll operators. Cybercriminals have designed these phishing pages to be accessible only from mobile devices, making them more convincing to unsuspecting users.
Ford Merrill, a security researcher at SecAlliance, confirmed that these phishing kits are sold by multiple China-based cybercriminal groups, each with hundreds or thousands of customers. The scammers’ primary goal is to steal payment credentials and link them to mobile wallets for fraudulent purchases or money laundering. According to Merrill, this latest scam is a continuation of previous package delivery and tax refund phishing attacks, which have evolved as consumers become more aware of older schemes.
The reality is that text based phishing is an epidemic. And part of that expansion in phishing tactics, is that criminals are increasingly using iMessage and RCS (Rich Communication Services) to bypass telecom spam filters. Traditional smishing campaigns relied heavily on SMS, but these new delivery channels allow messages to appear more legitimate, increasing their success rate.
While it remains unclear how targets are selected, MassDOT warns that affected phone numbers appear to be chosen at random and are not linked to actual toll accounts. Some recipients have reported receiving scam messages despite never having used a toll road or even owning a vehicle.
The FBI urges recipients to report phishing attempts to the Internet Crime Complaint Center (IC3) before deleting the messages. I’ll be checking with the Canadian authorities for where to report this, but regardless – we need to get the message out that users should never click on links in unsolicited texts or provide sensitive financial information online.