Full Report
The latest smishing scam follows a familiar process as ones the industry has seen over the past decade. The post Who is sending those scammy text messages about unpaid tolls? appeared first on CyberScoop.
Analysis Summary
# Tool/Technique: Smishing Campaign (Unpaid Toll Violations)
## Overview
This refers to a large-scale, nationwide social engineering campaign utilizing SMS (text messages) to trick recipients into paying phantom unpaid road toll violations. The goal is to steal financial information (like credit card numbers) rather than collect the small stated amount (typically under \$25).
## Technical Details
- Type: Technique (Smishing/Phishing via SMS)
- Platform: Mobile Phones (Apple iMessage and Android RCS/SMS)
- Capabilities: Distribution of malicious links via text messages to capture user data via fraudulent websites, leveraging time-sensitive or authoritative topics (toll violations).
- First Seen: Complaints fielded by IC3 since March 2024.
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Less applicable, but related to delivery)
- T1566.003 - Social Media Phishing (The text message delivery mechanism functions similarly to social media/messaging platform compromise)
## Functionality
### Core Capabilities
- **Social Engineering:** Exploiting everyday life scenarios (toll payments) combined with threats (penalties, suspended registrations) to elicit immediate action.
- **Low-Dollar Lure:** Requesting small amounts of money to encourage quick payment without scrutiny.
- **Widespread Use of Malicious URLs:** Deploying tens of thousands of unique URLs pointing to phishing sites.
### Advanced Features
- **Domain Squatting/Impersonation:** Using subdomains mimicking legitimate toll agencies (e.g., "ezdrive," "e-zpass," "sunpass") coupled with uncommon Top-Level Domains (TLDs) associated with cybercrime.
- **Delivery Evasion:** Messages are often delivered via iMessage (over the internet) or RCS, circumventing traditional wireless network-based spam/infrastructure filters.
- **International Infrastructure:** Infrastructure and phishing kits attributed to cybercriminals originating from China, using name servers resolving to popular global hosting providers (Tencent, Alibaba) in the US, Singapore, and Japan for hosting.
- **Multi-Channel Delivery:** Messages observed originating from UK and Philippines-based SIM cards delivered via email accounts (a cheaper delivery method suspected by researchers).
## Indicators of Compromise
- File Hashes: N/A (Campaign based on delivery and landing pages)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- Associated subdomains used in malicious links: `ezdrive`, `e-zpass`, `fastrak`, `thetollroad`, `txtag`, `paturnpike`, `ohioturnpike`, `sunpass`, `bayareafastrak`.
- Hosting networks linked to China-based firms Tencent and Alibaba.
- Behavioral Indicators:
- Receipt of unsolicited text messages regarding unpaid tolls demanding immediate action or referencing potential penalties.
- Texts delivered via iMessage originating from unusual email addresses or texts referencing outdated/unverified toll charges.
## Associated Threat Actors
- Unspecified cybercriminal groups, noted by researchers as "the same folks who are doing all sorts of text-based scams," with infrastructure linked to China.
## Detection Methods
- Signature-based detection: Not highly effective due to the large volume of unique, rapidly registered domains.
- Behavioral detection: Monitoring for attempts to navigate to URLs with known malicious subdomains hosted on suspicious TLDs or recent domain registrations linked to known hosting providers.
- YARA rules: Not explicitly mentioned, but signatures targeting the specific TLDs or common scam text phrasing could be developed.
## Mitigation Strategies
- **User Vigilance:** Treat unexpected texts, especially those demanding immediate payment or threatening penalties, with skepticism.
- **Do Not Click:** Users are advised not to click links in unexpected text messages.
- **Reporting:** Report unwanted texts as spam, block sending numbers, and forward the message to **7726** (SPAM) to report to wireless providers.
- **Look for Anomalies:** Be wary of non-U.S. country codes and unusual TLDs appended to familiar service names.
## Related Tools/Techniques
- Phishing Campaigns (e.g., missed package delivery scams, DriDX-related email scams).
- General Smishing campaigns.