Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid. Researchers say the surge in SMS spam coincides with new features added to a popular commercial phishing kit sold in China that makes it simple to set up convincing lures spoofing toll road operators in multiple U.S. states.
Last week, the Massachusetts Department of Transportation (MassDOT) warned residents to be on the lookout for a new SMS phishing or “smishing” scam targeting users of EZDriveMA, MassDOT’s all electronic tolling program. Those who fall for the scam are asked to provide payment card data, and eventually will be asked to supply a one-time password sent via SMS or a mobile authentication app.
Reports of similar SMS phishing attacks against customers of other U.S. state-run toll facilities surfaced around the same time as the MassDOT alert. People in Florida reported receiving SMS phishing that spoofed Sunpass, Florida’s prepaid toll program.
This phishing module for spoofing MassDOT’s EZDrive toll system was offered on Jan. 10, 2025 by a China-based SMS phishing service called “Lighthouse.”
In Texas, residents said they received text messages about unpaid tolls with the North Texas Toll Authority. Similar reports came from readers in California, Colorado, Connecticut, Minnesota, and Washington. This is by no means a comprehensive list.
A new module from the Lighthouse SMS phishing kit released Jan. 14 targets customers of the North Texas Toll Authority (NTTA).
In each case, the emergence of these SMS phishing attacks coincided with the release of new phishing kit capabilities that closely mimic these toll operator websites as they appear on mobile devices. Notably, none of the phishing pages will even load unless the website detects that the visitor is coming from a mobile device.
Ford Merrill works in security research at SecAlliance, a CSIS Security Group company. Merrill said the volume of SMS phishing attacks spoofing toll road operators skyrocketed after the New Year, when at least one Chinese cybercriminal group known for selling sophisticated SMS phishing kits began offering new phishing pages designed to spoof toll operators in various U.S. states.
According to Merrill, multiple China-based cybercriminals are selling distinct SMS-based phishing kits that each have hundreds or thousands of customers. The ultimate goal of these kits, he said, is to phish enough information from victims that their payment cards can be added to mobile wallets and used to buy goods at physical stores, online, or to launder money through shell companies.
A component of the Chinese SMS phishing kit Lighthouse made to target customers of The Toll Roads, which refers to several state routes through Orange County, Calif.
Merrill said the different purveyors of these SMS phishing tools traditionally have impersonated shipping companies, customs authorities, and even governments with tax refund lures and visa or immigration renewal scams targeting people who may be living abroad or new to a country.
“What we’re seeing with these tolls scams is just a continuation of the Chinese smishing groups rotating from package redelivery schemes to toll road scams,” Merrill said. “Every one of us by now is sick and tired of receiving these package smishing attacks, so now it’s a new twist on an existing scam.”
In October 2023, KrebsOnSecurity wrote about a massive uptick in SMS phishing scams targeting U.S. Postal Service customers. That story revealed the surge was tied to innovations introduced by “Chenlun,” a mainland China-based proprietor of a popular phishing kit and service. At the time, Chenlun had just introduced new phishing pages made to impersonate postal services in the United States and at least a dozen other countries.
SMS phishing kits are hardly new, but Merrill said Chinese smishing groups recently have introduced innovations in deliverability, by more seamlessly integrating their spam messages with Apple’s iMessage technology, and with RCS, the equivalent “rich text” messaging capability built into Android devices.
“While traditional smishing kits relied heavily on SMS for delivery, nowadays the actors make heavy use of iMessage and RCS because telecom operators can’t filter them and they likely have a higher success rate with these delivery channels,” he said.
It remains unclear how the phishers have selected their targets, or from where their data may be sourced. A notice from MassDOT cautions that “the targeted phone numbers seem to be chosen at random and are not uniquely associated with an account or usage of toll roads.”
Indeed, one reader shared on Mastodon yesterday that they’d received one of these SMS phishing attacks spoofing a local toll operator, when they didn’t even own a vehicle.
Targeted or not, these phishing websites are dangerous because they are operated dynamically in real-time by criminals. If you receive one of these messages, just ignore it or delete it, but please do not visit the phishing site. The FBI asks that before you bin the missives, consider filing a complaint with the agency’s Internet Crime Complaint Center (IC3), including the phone number where the text originated, and the website listed within the text.
I’ve had at least 10 or so of these. I don’t own a car. They allege there’s a problem even from other states from where I live. I think for many who received these, it’s an easy and expensive trap to fall into.
Yup. I live in Texas but have had a 508 area code for years. The messages came from the Philippines but I guess I wasn’t supposed to notice that. Massachusetts has always been a pretty long drive from here, like the Philippines is kind of a long swim from China.
This type of scam has been seen in Australia for many years. If fact it is now so well known that most people are fully aware and delete the SMS immediately.
I’ve gotten several of these for Georgia’s PeachPass. A couple of months ago PeachPass actually put up a warning on their website about them.
I received one shortly after opening a snail mail from EZPass. Was “easy” to spot the scam.
I received several such text messages about three months ago here in Maryland. I told my wife (who also got these texts) not to act on it. I logged in to the regular web site without clicking on anything in the message. And Behold! there was an announcement from EZ Pass MD that there were impostor text messages and we should look out.
I received one of these SMS attacks last week. It was not too shabby, as far as phishing attacks go. I could see those attacks being good enough to lure several victims, unfortunately.
I got 4 of these, 2 on 1 day, 2 more on another day.
But…here’s what’s strange: they only showed up in messages on my Apple Watch Ultra 2 with cellular; they didn’t show up in messages on my iPad, or iPhone.
Further to my earlier comment he is a link to the Linkt Toll Scam in Melbourne, Australia that has been ongoing for at least two years now.. https://www.linkt.com.au/help/security/latest-scams/melbourne
It shows several SMS messages, some purporting to be from the Toll Provider and some from a Debt Collection House.
Delete and do not open!
Further to my earlier comment here is a link to the Linkt Toll Scam in Melbourne, Australia that has been ongoing for at least two years now.. https://www.linkt.com.au/help/security/latest-scams/melbourne
It shows several SMS messages, some purporting to be from the Toll Provider and some from a Debt Collection House.
Delete and do not open! Be aware!
Does the Chinese government support these phishers?
Yes and no. By proxy they do but if it hurts their image they don’t.
Phishing is not a top tier cybercrime like say stealing corporate or state secrets, so fighting or defending against it only receives the attention/funding relative to the public interest. If Chinese society starts getting vocal about it, only then will the authorities act. They recently cracked down hard on activities operating out of Myanmar for this very reason and the message was; don’t target Chinese citizens.
Phishing and lower tier crimes of opportunity are generally only performed by organised crime groups or script kiddies, but groups operating out of Russia and China have been known for years to have support from state backed APT operatives, moonlighting for extra cash on the side. Unfortunately, like Russia, corruption exists and they are lowly paid, so their supervisors turn a blind eye. This is also why Western agencies have been able to identify and sanction so many individual operatives, simply because they get lazy and use the same tools and techniques regardless of who they are working for; an MO is like a fingerprint and leaves you vulnerable to discovery.
By comparison Western agencies, Five Eyes operatives especially, are bound by very strict rules of engagement for the very reasons stated above. They are highly educated and highly paid. Therefore moonlighting is not only frowned upon, but would be career ending and ostracised from the community forever.
I don’t trust text messages because there is no real way to authenticate them.
My rate of text messages went up in 2024 because of doctors. It seems that doctors really love them for contacting patients.
I thought that I had found a good use for text messages when I found out that I could send e-mail to the telephone number ([cellnumber]@vtext.com for Verizon and [cellnumber]@txt.att.net for AT&T). So the logical thing was to have my servers send text messages for various events to my cell phone so that I could keep up with what was happening even at times when I don’t have internet access.
I started with logins to the servers. Even that was too much. After about twenty minutes, the cell phone company stopped accepting messages. I had figured realistically that I would be happy with maybe 40,000 messages a month to cover startups, shutdowns, logins, logouts, and some significant attempts to break in, but when it couldn’t barely handle five messages per hour, that was out of the question.
So I’m back to hating text messages.