Cyber security researchers are warning of a “comprehensive and running” SMS phishing campaign, targeting toll road users in the United States for financial theft from mid -October 2024.
“Toll road smoching attacks are being evaluated by several economically -motivated danger actors, which have been evaluated by ‘Wang Doo You’,” Sisko Talos’ researchers Azeem Khosibav, Chetan Raghuprasad, and Joy Chen with moderate belief.
According to the company, American electronic toll collection systems such as the fishing campaign, e-zadpas, send SMS messages and Apple Issages to individuals in Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois and Kansas and clicking on a fake link and a fake toll sent about a fake toll.
It is worth noting that some aspects of the toll fishing campaign were earlier highlighted by security journalist Brian Krebs in January 2025, with a China-based SMS Fishing Service detected called Lighthouse which is advertised on Telegram.
While Apple IMESSAGE automatically neutralizes the link in messages received from unknown sender, smoothing texts urged the recipients to respond with “Y” to activate the link – a strategy seen in a fishing kit like Darkula and Xi Go.
Does the victim click on the link and go to the domain, they are motivated to solve a fake image-based captcha challenge, after which they are a fake e-zpas page (eg, “EZP-VA,”[.lcom” or “e-zpass[.]com-ETCJR[.]Shin “) Where they are asked to enter their name and zip code to reach the bill.
The target is then asked to proceed to pay on another fraud page, the point at which all personal and financial information is given to the danger actors.
Tellos said that several danger actor Wang is operating toll road smoching operations using a fishing kit developed by You, and has used similar sminging kits, which are being used by another Chinese organized cyber crime group, known as a sming trident.
Interestingly, Wang Duo Yu has also been accused as the manufacturer of a fishing kit used by Triad, according to security researcher Grant Smith. Smith revealed in a comprehensive analysis in August 2024, “The manufacturer is a current computer science student in China using the skill he is learning to make a beautiful money in the side.”
Smishing Triad is known for conducting large -scale smusing attacks targeting postal services in at least 121 countries, using failed package delivery to the message recipients to click on the bogus link to receive the COAX messages who request their personal and financial information under the guise of an alleged service fee for redistribution.
In addition, the danger actors using these kits have attempted to enroll the details of the victims’ cards in a mobile wallet, allowing them to carry forward their funds on the scale using technology known as Ghost Tap.
The fishing kit has also been backdoor that the information of the captured credit/debit card is also exfilled for the creators, known as double theft.
“Wang Duo You have designed and designed the specific smooching kit and selling access to these kits on their telegram channels,” Tellos said. “Kits are available with different infrastructure options, the price of each US $ 50 for a complete-facility development, $ 30 for proxy development $ 30 each (when the customer has an individual domain and server), $ 20 for update updates, and $ 20 for all other diverse supports $ 20.”
By March 2025, the e-crime group is believed to have focused on its efforts on a new lighthouse fishing kit, which, according to the silent push, leads to cutting of credentials from banks and financial organizations in Australia and Asia-Pacific sector.
The danger actors have also claimed “300+ Front Desk Staff Worldwide” to support various aspects of fishing kits and various aspects of cash-out schemes.
The company said, “Smuthing Triad is also selling its fishing kit to other maliciously aligned danger actors through telegram and other channels,” the company said. “These sales make it difficult to characterize the kit for a one subgroup, so the sites are currently attributed to all here.”
In a report published last month, Prodaft revealed that the lighthouse shares strategic overlaps with a fishing kit such as lusid and dark, and it operates independently of the cybercrime group, the Zinxine group behind the lousid kit. Swiss cyber security company is tracking Wang Duo You (aka Lao Wang) as larva -241.
“An analysis of attacks carried out using lucid and dark panels showed that the Lighthouse (Lao Wang / Wang Duo You) shares important similarities with the zinxine group in terms of landing pages and domain manufacturing patterns,” said Product.
The revival of the cyber security company, which was the first document to smoke Triad in 2023 and was also tracking the scam toll operations, said that Sming Syndicate used more than 60,000 domain names, which is challenging to block the fraud activity in an effective way for Apple and Google.
“Using underground bulk SMS services enables the cyber criminal to score its operations, targeting millions of users simultaneously,” the rescuity said. “These services allow the attackers to send thousands of or millions of fraud IM messages efficiently, targeting users personally or in various fields based on specific demographics.”
