Cybersecurity experts have issued a warning about an extensive SMS phishing campaign that has been targeting toll road users in the United States for financial gain since mid-October 2024.
The attacks, which impersonate U.S. electronic toll collection systems like E-ZPass, have been attributed to multiple financially motivated threat actors using a smishing kit developed by ‘Wang Duo Yu,’ according to researchers at Cisco Talos.
The phishing campaigns send SMS messages and Apple iMessages to individuals in states such as Washington, Florida, Pennsylvania, and others, claiming there is an unpaid toll and directing recipients to click on a fake link in the message.
Security journalist Brian Krebs previously highlighted certain aspects of the toll phishing campaign, linking the activity to a China-based SMS phishing service called Lighthouse.
Recipients of the smishing texts are instructed to reply with “Y” to activate the link, which leads them to a fake E-ZPass page where they are prompted to enter personal information. This information is then used by threat actors to carry out financial theft.
Talos researchers noted that the toll road smishing campaigns are likely being conducted by multiple threat actors using a phishing kit developed by Wang Duo Yu. Similar smishing kits have been observed being used by another Chinese cybercrime group known as the Smishing Triad.
According to security researcher Grant Smith, Wang Duo Yu is also believed to be the creator of phishing kits used by the Smishing Triad, indicating a connection between the two groups.
The phishing kits employed in these attacks have been found to have backdoors that allow the theft of credit and debit card information, a technique known as double theft.
As of March 2025, the threat actors behind these campaigns have shifted their focus to a new phishing kit designed to target banks and financial organizations in Australia and the Asia-Pacific region.
Resecurity, a cybersecurity company tracking the activities of the Smishing Triad, revealed that the syndicate has used over 60,000 domain names to carry out their fraudulent activities, making it challenging for platforms like Apple and Google to effectively block the scams.
These underground bulk SMS services enable cybercriminals to scale their operations and target millions of users simultaneously, allowing them to send fraudulent messages at a massive scale.
For more exclusive content, follow us on Twitter and LinkedIn.
