Cybersecurity researchers are warning of a “widespread and ongoing” SMS phishing campaign that’s been targeting toll road users in the United States for financial theft since mid-October 2024.
“The toll road smishing attacks are being carried out by multiple financially motivated threat actors using the smishing kit developed by ‘Wang Duo Yu,'” Cisco Talos researchers Azim Khodjibaev, Chetan Raghuprasad, and Joey Chen assessed with moderate confidence.
The phishing campaigns, per the company, impersonate U.S. electronic toll collection systems like E-ZPass, sending SMS messages and Apple iMessages to individuals across Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas about an unpaid toll and clicking on a fake link sent in the chat.
It’s worth noting some aspects of the toll phishing campaign were previously highlighted by security journalist Brian Krebs in January 2025, with the activity traced back to a China-based SMS phishing service called Lighthouse that’s advertised on Telegram.
While Apple iMessage automatically disables links in messages received from unknown senders, the smishing texts urge recipients to respond with “Y” in order to activate the link – a tactic observed in phishing kits like Darcula and Xiū gǒu.
Should the victim click on the link and visit the domain, they are prompted to solve a fake image-based CAPTCHA challenge, after which they are redirected to a fake E-ZPass page (e.g., “ezp-va[.lcom” or “e-zpass[.]com-etcjr[.]xin”) where they are asked to enter their name and ZIP code to access the bill.
Targets are then asked to proceed further to make the payment on another fraudulent page, at which point all the entered personal and financial information is siphoned to the threat actors.
Talos noted that multiple threat actors are operating the toll road smishing campaigns by likely making use of a phishing kit developed by Wang Duo Yu, and that it has observed similar smishing kits being used by another Chinese organized cybercrime group known as the Smishing Triad.
Interestingly, Wang Duo Yu is also alleged to be the creator of the phishing kits used by Smishing Triad, per security researcher Grant Smith. “The creator is a current computer science student in China who is using the skills he’s learning to make a pretty penny on the side,” Smith revealed in an extensive analysis in August 2024.
Smishing Triad is known for conducting large-scale smishing attacks targeting postal services in at least 121 countries, using failed package delivery lures to coax message recipients into clicking on bogus links that request their personal and financial information under the guise of a supposed service fee for redelivery.
Furthermore, threat actors using these kits have attempted to enroll victims’ card details into a mobile wallet, allowing them to further cash out their funds at scale using a technique known as Ghost Tap.
The phishing kits have also been found to be backdoored in that the captured credit/debit card information is also exfiltrated to the creators, a technique known as double theft.
“Wang Duo Yu has crafted and designed specific smishing kits and has been selling access to these kits on their Telegram channels,” Talos said. “The kits are available with different infrastructure options, priced at US $50 each for a full-feature development, $30 each for proxy development (when the customer has a personal domain and server), $20 each for version updates, and $20 for all other miscellaneous support.”
As of March 2025, the e-crime group is believed to have focused their efforts on a new Lighthouse phishing kit that’s geared towards harvesting credentials from banks and financial organizations in Australia and the Asia-Pacific region, according to Silent Push.
The threat actors also claim to have “300+ front desk staff worldwide” to support various aspects of the fraud and cash-out schemes associated with the phishing kit.
“Smishing Triad is also selling its phishing kits to other maliciously aligned threat actors via Telegram and likely other channels,” the company said. “These sales make it difficult to attribute the kits to any one subgroup, so the sites are currently all attributed here under the Smishing Triad umbrella.”
In a report published last month, PRODAFT revealed that Lighthouse shares tactical overlaps with phishing kits such as Lucid and Darcula, and that it operates independently of the XinXin group, the cybercrime group behind the Lucid kit. The Swiss cybersecurity company is tracking Wang Duo Yu (aka Lao Wang) as LARVA-241.
“An analysis of attacks conducted using the Lucid and Darcula panels revealed that Lighthouse (Lao Wang / Wang Duo Yu) shares significant similarities with the XinXin group in terms of targeting, landing pages, and domain creation patterns,” PRODAFT noted.
Cybersecurity company Resecurity, which was the first to document Smishing Triad in 2023 and has also been tracking the scam toll campaigns, said the smishing syndicate has used over 60,000 domain names, making it challenging for Apple and Google to block the fraudulent activity in an effective manner.
“Using underground bulk SMS services enables cybercriminals to scale their operations, targeting millions of users simultaneously,” Resecurity said. “These services allow attackers to efficiently send thousands or millions of fraudulent IM messages, targeting users individually or groups of users based on specific demographics across various regions.”
