Chinese Cybercriminals Exploit SMS Phishing to Target U.S. Toll Users

A recent surge in SMS phishing targeting U.S. toll road users has emerged, attributed to advanced phishing tools developed in China, specifically by sophisticated cybercriminal groups. This trend illustrates a broader shift within the cybercrime landscape, where certain Chinese cybercriminal organizations have moved from package delivery schemes to toll road scams, utilizing highly advanced phishing kits. These phishing attempts, also known as “smishing,” are crafted with the explicit intention of defrauding individuals by impersonating toll road operators like E-ZPass. The advanced nature of these scams, including the effectiveness of phishing kits that mimic legitimate toll operator websites, has resulted in numerous successful thefts of sensitive information and significant financial losses.

Surge in SMS Phishing Attacks

The primary focus is the considerable rise in SMS phishing attacks that convincingly impersonate toll road operators. Victims often receive deceptive text messages suggesting they owe overdue toll fees, and they are coerced into entering personal information. This may include payment card details and one-time passwords received via SMS or authentication apps. Unsuspecting individuals, believing the messages to be genuine, provide this sensitive information, which cybercriminals then exploit for unauthorized purchases or money laundering activities.

Warnings have already been issued by authorities, such as the Massachusetts Department of Transportation (MassDOT), which alerted residents about a smishing scam aimed at EZDriveMA users. These warnings emphasize caution against unsolicited texts and highlight the prevalence of these phishing attempts. Similar incidents have been reported in various other states, including Florida, where residents received messages impersonating the Sunpass toll program. The widespread nature of these attacks, affecting multiple states like Texas, California, Colorado, Connecticut, Minnesota, and Washington, signifies a coordinated effort by cybercriminals to exploit toll road users nationwide.

MassDOT’s alert underscored the need for public awareness and vigilance. Residents were advised to verify the authenticity of any messages regarding overdue toll fees before responding. The effectiveness of these scams lies in their ability to convince recipients of their legitimacy, prompting swift and often unquestioned compliance. As these phishing attacks continue to rise, the need for informed and cautious behavior among toll users becomes crucial for mitigating their impact.

Advanced Phishing Kits from China

One of the more alarming aspects of these attacks is the advanced capabilities demonstrated by the phishing kits developed by China-based cybercriminal organizations. A stark example is the phishing module designed to spoof MassDOT’s EZDrive toll system, provided by China’s Lighthouse SMS phishing service. This module, released in January 2025, also includes features to impersonate the North Texas Toll Authority (NTTA) and other state toll programs, showcasing the organized and methodical approach of these cybercriminal groups.

These phishing kits are crafted to effectively mimic legitimate toll operator websites, particularly on mobile devices, enhancing their credibility. The sophistication of the phishing pages is such that they load only when accessed from a mobile device, which significantly boosts their plausibility from the victim’s perspective. This level of tailoring makes it challenging for individuals to distinguish between genuine and fraudulent communications, increasing the success rate of these scams.

The intricate design and updated modules in these phishing kits reflect a high level of technical expertise and thorough planning by the cybercriminals. By continuously refining their tactics and leveraging the latest technologies, these groups ensure that their phishing attempts remain effective. This dynamic approach not only poses a significant threat to toll users but also highlights the evolving nature of cybercrime where malicious actors are continually adapting their methods to bypass security measures and exploit vulnerabilities.

Key Players and Technological Innovations

The article identifies a key player in these schemes: a Chinese cybercriminal group known as “Lighthouse.” This group has been pivotal in developing and distributing phishing kits designed to capture detailed personal and financial information from victims. A notable innovation in these kits is their incorporation of Apple’s iMessage and Rich Communication Services (RCS) for Android, which are less susceptible to being filtered by telecom operators. This advancement has likely increased the success rate of their phishing attacks, making them more difficult for standard defenses to intercept.

Security researcher Ford Merrill from SecAlliance highlighted a significant increase in these phishing attempts following the introduction of new phishing pages tailored to U.S. state toll operators by this China-based group. Merrill noted that these groups have a history of adapting their schemes, shifting from package delivery scams to toll road scams. This adaptability is a crucial aspect of their operations, providing them with the flexibility to exploit different vulnerabilities and maintain the effectiveness of their attacks. As the public becomes more aware of one type of scam, these groups swiftly pivot to another, demonstrating a relentless pursuit of exploiting both technological and human weaknesses for financial gain.

This adaptability is also reflected in their ability to incorporate emerging technologies into their phishing strategies. By using platforms like iMessage and RCS, they can bypass traditional SMS filters that telecom operators use to block spam and phishing attempts. This innovation, combined with the advanced design of their phishing kits, enables them to reach a broader audience and increase the likelihood of obtaining sensitive information from their targets. The continuous evolution of these tactics underscores the need for equally dynamic defense mechanisms to counteract these sophisticated threats.

Historical Context and Adaptability

The adaptability of these cybercriminal groups is further highlighted by historical patterns of their attacks. In 2023, a significant number of SMS phishing attempts targeted U.S. Postal Service customers, linked to another China-based cybercriminal known as “Chenlun.” This historical context illustrates the consistent underlying tactics and motives of these phishing threats, despite the changing specifics of the scams. The persistence of such threats necessitates a sustained and vigilant response from both the public and security professionals.

Researchers and authorities stress the importance of remaining vigilant against these phishing attempts. They emphasize that individuals should not engage with suspicious messages and should promptly report any incidents to the FBI’s Internet Crime Complaint Center (IC3). This proactive approach is essential for mitigating the impact of these scams and preventing further victimization. Public awareness and reporting are critical components of an effective defense strategy against the ongoing and evolving threats posed by cybercriminals.

Understanding the historical context and patterns of these attacks can aid in developing more effective countermeasures. By recognizing the tactics employed by these groups and their ability to adapt to new circumstances, security professionals can better anticipate their moves and develop strategies to protect potential victims. The ongoing battle between emerging phishing technologies and protective measures reflects the dynamic and ever-changing nature of the cybersecurity landscape.

Public Vigilance and Reporting

One troubling aspect of these attacks is the advanced capabilities of phishing kits developed by China-based cybercriminal organizations. A notable example is the phishing module mimicking MassDOT’s EZDrive toll system, provided by China’s Lighthouse SMS phishing service. Released in January 2025, this module also impersonates the North Texas Toll Authority (NTTA) and other state toll programs, highlighting the organized, methodical approach of these groups.

These phishing kits are designed to convincingly mimic legitimate toll operator websites, especially on mobile devices, which boosts their credibility. The sophistication of these phishing pages is such that they load only when accessed from a mobile device, making it challenging for individuals to distinguish between real and fake communications, thus increasing the success rate of these scams.

The intricate design and updated modules in these kits reflect high technical expertise and thorough planning. By continuously refining their tactics and leveraging the latest technologies, these groups ensure their phishing attempts remain effective. This dynamic approach not only poses a significant threat to toll users but also highlights the evolving nature of cybercrime, where malicious actors continually adapt their methods to bypass security measures and exploit vulnerabilities.

Explore more