Full Report
A new mass smishing campaign uncovered by Bitdefender Labs shows that scammers are sending tens of thousands of fraudulent text messages to mobile users across 12 countries, impersonating transport authorities, toll operators, and parking services. Key takeaways * Since December 2025, Bitdefender Labs researchers have been tracking smishing campaigns targeting drivers on a global scale. The scam campaigns are still active as of April 2026 * Over 79,000 fraudulent messages have already been
Analysis Summary
# Incident Report: Operation Road Trap
## Executive Summary
A global mass smishing campaign has been identified targeting drivers across 12 countries, impersonating DMVs, toll operators, and parking authorities. The campaign utilizes high-pressure tactics and urgency to steal credit card details, PII, and in some regions, online banking credentials or the delivery of spyware. Over 79,000 fraudulent messages and 31,900 unique URLs have been detected, highlighting a massive infrastructure geared toward financial fraud and data theft.
## Incident Details
- **Discovery Date:** December 2025
- **Incident Date:** December 2025 – Ongoing (Last update April 2026)
- **Affected Organization:** Customers of various global transport authorities (e.g., E-ZPass, SunPass, DMV, Interac, city parking services)
- **Sector:** Transportation / Government Services / Finance
- **Geography:** Global (US, Canada, UK, Australia, France, Spain, Ireland, India, Colombia, Brazil, Luxembourg, New Zealand)
## Timeline of Events
### Initial Access
- **Date/Time:** December 2025
- **Vector:** SMS/Mobile Phishing (Smishing)
- **Details:** Attackers send SMS messages using spoofed sender IDs or short codes (e.g., 7726) claiming the recipient has an unpaid toll or parking violation.
### Lateral Movement
- **N/A:** As this is a consumer-facing fraud campaign, movement is focused on credential pivoting (e.g., using stolen payment info to access bank accounts).
### Data Exfiltration/Impact
- **Financial/Identity Theft:** Victims enter credit card numbers, CVVs, and PII into spoofed websites. In Canada, phishing extends to Interac e-Transfer banking credentials. In other regions, the payload includes spyware downloads.
### Detection & Response
- **Detection:** Bitdefender Labs identified the campaign via anti-phishing telemetry and URL analysis.
- **Response:** Continuous monitoring of URL generation; public disclosure and warning to international drivers; integration of signatures into "Scam Radar" security features.
## Attack Methodology
- **Initial Access:** Smishing (SMS Phishing) using social engineering and high-pressure deadlines (24-72 hours).
- **Persistence:** Not applicable for payment sites; however, for malware variants, persistence is maintained via installed spyware on mobile devices.
- **Privilege Escalation:** N/A (Direct credential/data theft).
- **Defense Evasion:** Rapid domain generation, use of multiple languages, sender-ID spoofing, and mobile-specific evasion techniques to bypass standard browser filters.
- **Credential Access:** Phishing pages mimicking official government and payment portals (e.g., ca[.]gov-okqs[.]bond).
- **Discovery:** Public reconnaissance of toll systems and local authorities in 12 different countries.
- **Lateral Movement:** Pivot from toll payment phishing to banking credential theft (specifically Interac in Canada).
- **Collection:** Harvesting of PII, credit card data, and online banking logins.
- **Exfiltration:** Data transmitted to attacker-controlled servers via web forms.
- **Impact:** Financial loss to victims, identity theft, and potential device compromise via malware.
## Impact Assessment
- **Financial:** High (Potential for thousands of drained bank accounts and unauthorized credit card charges).
- **Data Breach:** High-volume theft of PII (names, addresses, driver's licenses) and financial identifiers.
- **Operational:** Minimal disruption to agencies, but high volume of fraudulent inquiries to legitimate transport support lines.
- **Reputational:** Erosion of trust in official digital payment systems for tolls and fines.
## Indicators of Compromise
- **Network Indicators:**
- hxxps[://]ca[.]gov-okqs[.]bond/portal
- 31,900+ unique phishing URLs (often utilizing keywords like "gov," "toll," "fine," or "penalty").
- **Behavioral Indicators:**
- Unsolicited SMS from short codes threatening arrest warrants or license suspension.
- Requests for "Y" replies to enable link clicking.
- Redirection from a purported government site to a third-party payment gateway.
## Response Actions
- **Containment:** Defanging and blacklisting of detected phishing URLs in security software.
- **Eradication:** Reporting of fraudulent domains to registrars.
- **Recovery:** Public awareness campaigns advising users to check official apps or websites directly rather than clicking SMS links.
## Lessons Learned
- **Key Takeaways:** Smishing remains one of the most effective vectors because of the inherent trust users place in SMS and the difficulty of verifying URLs on mobile screens.
- **Process Gaps:** Standard SMS filters struggle with high-velocity domain generation; cross-border coordination is required as attackers use the same templates in different jurisdictions.
## Recommendations
- **Mobile Security:** Install mobile security software with real-time "Scam Radar" or URL filtering capabilities.
- **Verification:** Never click links in SMS messages regarding fines. Always log in directly to a known, official government “.gov” or “.ca” portal.
- **MFA:** Enable Multi-Factor Authentication on all banking and transport accounts to prevent secondary access if credentials are stolen.