Cybersecurity experts have issued a warning about a significant ongoing SMS phishing scam aimed at toll road users across various states in the U.S. This fraudulent activity, which began in mid-October 2024, reportedly involves multiple financially motivated attackers utilizing a smishing kit created by an individual identified as ‘Wang Duo Yu.’
These attacks mimic notifications from legitimate U.S. electronic toll collection systems, such as E-ZPass, sending text messages and Apple iMessages to users in states like Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas. The messages inform recipients of an "unpaid toll" and encourage them to click on a link provided within the text.
Previously reported by security journalist Brian Krebs, these phishing attempts appear to be traced back to a Chinese SMS phishing service named Lighthouse, which is available for promotion on platforms like Telegram. Notably, while Apple iMessage safeguards users by disabling links from unknown senders, the attackers coax recipients into responding with "Y" to activate the link, a tactic consistent with other phishing kits.
Upon clicking the link, victims are confronted with a fake CAPTCHA challenge before being redirected to a counterfeit E-ZPass page, which may include deceptive domains such as "ezp-va.lcom" or "e-zpass.com-etcjr.xin." Users are then prompted to enter their personal information, including name and ZIP code, under the pretext of accessing their toll bill. This data is, in turn, collected by the attackers.
Cisco Talos research highlights that multiple cybercriminal teams are executing these toll road phishing schemes using the same toolkit from Wang Duo Yu. Notably, the Smishing Triad, a known Chinese cybercrime group, has also employed similar smishing kits. Researchers indicate that Wang Duo Yu, a current computer science student in China, has allegedly developed these kits to further enrich himself while studying.
This smishing group is notorious for executing extensive campaigns that target a variety of sectors, employing social engineering techniques like failed delivery notices to lure individuals into revealing sensitive personal details.
In an even more alarming revelation, these phishing kits are designed to let attackers extract sensitive credit and debit card information while enabling them to enroll stolen card details into mobile wallets, facilitating large-scale exploitation of victims’ funds utilizing a method termed Ghost Tap.
Talos further underscores that the kits, sold on Telegram, offer various options with prices ranging from $20 to $50 depending on features, such as full-feature development and updates. By March 2025, the group focused their efforts on a new iteration of the Lighthouse phishing kit tailored for credential harvesting from banking institutions in Australia and the Asia-Pacific region.
This escalation in smishing activities has facilitated the widespread use of over 60,000 domain names, significantly obstructing efforts by tech firms like Apple and Google to effectively counter these fraudulent operations, leading Resecurity to reveal that attackers utilize bulk SMS services for expansive outreach across demographics.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.