Full Report
The latest smishing scam follows a familiar process as ones the industry has seen over the past decade. The post Who is sending those scammy text messages about unpaid tolls? appeared first on CyberScoop.
Analysis Summary
# Tool/Technique: Smishing (Fake Toll Road Violations)
## Overview
This refers to a widespread, evolving social engineering scam conducted via SMS (text messages) impersonating official toll road collection agencies to trick victims into paying fictitious fines. The primary goal is to steal financial information, such as credit card numbers, rather than collecting the small stated fee.
## Technical Details
- Type: Technique (Social Engineering/Phishing)
- Platform: Mobile Devices (iOS via iMessage and Android)
- Capabilities: Mass distribution of deceptive text messages leveraging high public awareness/urgency related to common life events (tolls, packages).
- First Seen: Complaints regarding the toll road variant fielded since March 2024 (IC3).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Though links are the mechanism, the delivery vector is SMS/Phishing)
- T1566.004 - Phishing: Link in E-mail (Applicable when using iMessage over the internet which originates from email accounts)
## Functionality
### Core Capabilities
- **Social Engineering:** Exploiting urgency and everyday occurrences (unpaid tolls, usually under $25) to bypass critical thinking for quick payment.
- **Domain/URL Abuse:** Registering tens of thousands of domains that use common toll collection subdomains (e.g., "ezdrive," "e-zpass," "sunpass," "fastrak") appended with uncommon or high-risk Top-Level Domains (TLDs).
- **Infrastructure Use:** Hosting malicious phishing sites primarily on networks owned by China-based providers (Tencent, Alibaba).
### Advanced Features
- **Delivery Vector Evasion:** Utilizing iMessage (Apple) and RCS (Rich Communication Services) protocols which are transmitted over the internet, often bypassing traditional carrier network-based spam/filter controls.
- **Global Delivery:** Messages observed originating from UK/Philippines based burner phone number ranges delivered via email accounts, suggesting a cost-effective mass delivery strategy.
- **Massive Scale:** Researchers identified up to 57,000 malicious URLs associated with the campaign, indicating a high volume, sustained operation.
## Indicators of Compromise
- File Hashes: N/A (This is a delivery/social engineering technique, not a specific piece of malware analyzed)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- Subdomains frequently abused: `ezdrive`, `e-zpass`, `fastrak`, `thetollroad`, `txtag`, `paturnpike`, `ohioturnpike`, `sunpass`, `bayareafastrak`.
- Hosting ISPs/Networks: Tencent, Alibaba (China-based hosting).
- Behavioral Indicators:
- Text messages threatening small penalties ($7-$25) for phantom toll violations.
- Texts containing links to non-standard TLDs associated with toll keywords.
- Messages delivered via iMessage from email accounts tied to UK/Philippines numbers.
## Associated Threat Actors
- Familiar cybercriminals (unspecified groups) with infrastructure and phishing kits originating from China.
## Detection Methods
- **Signature-based detection:** Monitoring for newly registered domains using high-risk TLDs combined with common toll/package service keywords in subdomains.
- **Behavioral detection:** Alerting on unexpected text messages that demand small payments via embedded links.
- **YARA rules:** Not explicitly mentioned, but patterns in URL structures and hosting infrastructure could be used.
## Mitigation Strategies
- **Vigilance:** Treating unexpected texts from unknown senders with skepticism.
- **Link Avoidance:** Do not click links in unverified text messages, regardless of the stated urgency or low amount.
- **Reporting:** Reporting unwanted texts as spam, blocking the sending number, and forwarding the message text to 7726 (“SPAM”) to the wireless provider.
- **Auditing:** Remain vigilant for non-U.S. country codes and watch for suspicious TLDs.
## Related Tools/Techniques
- Phishing/Smishing campaigns related to missed package deliveries (e.g., FedEx, UPS).
- Previous smishing campaigns utilizing low-dollar payment requests to harvest high-value data.