Full Report
Scammers are sending fake "Notice of Default" traffic violation text messages impersonating state courts across the U.S., pressuring recipients to scan a QR code that leads to a phishing site demanding a $6.99 payment while stealing personal and financial information. [...]
Analysis Summary
# Incident Report: Multi-State "Notice of Default" Quishing Campaign
## Executive Summary
Threat actors are conducting a large-scale Smishing and Quishing (QR code phishing) campaign impersonating U.S. state courts and DMV agencies. Using high-pressure "Notice of Default" language, attackers lure victims into scanning QR codes to pay a fraudulent $6.99 fee, resulting in the theft of PII and credit card data. The campaign is notable for its use of CAPTCHAs and QR codes to bypass automated security filters.
## Incident Details
- **Discovery Date:** April 5, 2026 (Reported)
- **Incident Date:** Ongoing (Commenced late March/early April 2026)
- **Affected Organization:** Residents of various U.S. states; Impersonated agencies include NY Criminal Court, NY DMV, and various state toll agencies.
- **Sector:** Government / Public Sector (Impersonation) / General Public (Target)
- **Geography:** United States (NY, CA, NC, IL, VA, TX, CT, NJ reported)
## Timeline of Events
### Initial Access
- **Date/Time:** Circa mid-March 2026
- **Vector:** SMS (Smishing)
- **Details:** Recipients receive a text message claiming to be an "urgent warning" regarding an outstanding traffic violation. The message contains an image of a "Notice of Default" with an embedded QR code.
### Lateral Movement
- **N/A:** This is an external phishing campaign targeting individuals rather than an enterprise network intrusion.
### Data Exfiltration/Impact
- **Data Stolen:** Full Name, Physical Address, Phone Number, Email Address, and Credit Card details (PAN, CVV, Expiry).
- **Financial Impact:** Direct theft of $6.99 (initial "fine") followed by unauthorized credit card charges.
### Detection & Response
- **Detection:** Reported by users to BleepingComputer and shared across social media/reporting platforms.
- **Response Actions:** State agencies (e.g., NY Governor's office) issued public warnings. Security researchers identified phishing domains for takedown requests.
## Attack Methodology
- **Initial Access:** SMS messaging using aggressive legal language ("Formal enforcement stage").
- **Persistence:** Not applicable; transaction-based theft.
- **Privilege Escalation:** N/A.
- **Defense Evasion:** Use of **QR codes** instead of hyperlinks to bypass SMS spam filters; use of **CAPTCHAs** on intermediary sites to block automated web crawlers/security scanners.
- **Credential Access:** Web-based social engineering via fake DMV/Court payment portals.
- **Discovery:** N/A.
- **Lateral Movement:** N/A.
- **Collection:** Form-grabbing on phishing landing pages.
- **Exfiltration:** HTTPS POST requests to attacker-controlled infrastructure.
- **Impact:** Financial fraud and Identity Theft.
## Impact Assessment
- **Financial:** Widespread small-dollar fraud ($6.99 per victim) plus subsequent larger-scale credit card fraud.
- **Data Breach:** Exposure of sensitive PII (Name, Address) and financial data.
- **Operational:** Increased call volume and support burden for legitimate state court and DMV help desks.
- **Reputational:** Erosion of trust in official SMS communications from government entities.
## Indicators of Compromise
- **Network Indicators:**
- ny.gov-skd[.]org
- ny.ofkhv[.]life
- **File Indicators:**
- Image files containing QR codes impersonating "Criminal Court of the City of New York."
- **Behavioral Indicators:**
- SMS messages originating from unknown numbers regarding "Notice of Default."
- Request for a specific, low-dollar amount ($6.99).
- Redirection through a CAPTCHA before reaching a payment page.
## Response Actions
- **Containment:** Domain registrar notifications to suspend known phishing hostnames.
- **Eradication:** Public service announcements (PSAs) by state governors and DMV officials.
- **Recovery:** Victims advised to monitor bank statements and contact financial institutions to cancel compromised cards.
## Lessons Learned
- **Bypassing Filters:** Threat actors are successfully moving from text-based links to image-based QR codes to evade keyword-based SMS filtering.
- **Human Factor:** Small-dollar amounts ($6.99) are used to lower victim suspicion, as the cost of "paying the fine" is lower than the perceived cost of contesting it or investigating its legitimacy.
- **Evolving Verification:** The inclusion of a CAPTCHA adds a false sense of "security" and legitimacy to the phishing site while effectively blocking security bots.
## Recommendations
- **Public Awareness:** Educate citizens that state agencies and courts do not initiate payment requests or legal notices via SMS.
- **SMS Security:** Deploy mobile threat defense (MTD) solutions that can scan images/QR codes for malicious intent.
- **Verification:** Always verify outstanding tickets directly through official `.gov` websites by manually typing the URL into a browser rather than following links or scanning codes from messages.