Cybersecurity researchers have raised alarms over a widespread smishing campaign targeting U.S. toll road users since mid-October 2024. The operation aims to steal financial data using fake toll notifications.
Cisco Talos reports that multiple financially driven threat actors are behind the attacks. They are using a phishing kit created by an individual known as Wang Duo Yu.
Victims receive SMS and Apple iMessage alerts mimicking toll systems like E-ZPass. The message claims there’s an unpaid toll and includes a fraudulent link. Targets in Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas have been affected.
Security journalist Brian Krebs earlier linked these smishing operations to Lighthouse, a China-based phishing service sold on Telegram. Though Apple disables links from unknown senders, attackers bypass this by urging recipients to reply “Y” to activate the link.
Fake Sites and Ghost Tap Tactics
If a user clicks the link, they first see a CAPTCHA. Then, they’re redirected to a fake toll payment page (e.g., ezp-va[.]lcom). Victims are asked to enter name, ZIP code, and payment details, which are stolen by the attackers.
These phishing kits are being used by Smishing Triad, a Chinese cybercrime group. Their tactics also include enrolling stolen card details into mobile wallets, a method called Ghost Tap, allowing rapid cashouts.
Interestingly, the kits are backdoored, meaning the stolen data is also sent to the creators—known as double theft.
Wang Duo Yu, a computer science student, allegedly sells the kits for $50 (full dev), $30 (proxy dev), and $20 (updates/support). He markets them via Telegram, offering custom infrastructure options.
As of March 2025, the group is also targeting banks in the Asia-Pacific region using an evolved version of Lighthouse.
Underground tools like Oak Tel enable mass delivery of these messages, offering dashboards, spoofing, APIs, and bulk SMS tools. Over 60,000 domain names have been used, complicating takedown efforts by Apple and Google.
Cyber firms say that these underground services are key to scaling attacks and targeting victims across regions. Smishing Triad is also selling its tools to other threat actors, making attribution increasingly complex.
