This article discusses the recent smishing campaign targeting toll services, where users receive fraudulent text messages warning of unpaid tolls. It highlights how threat actors use popular infrastructure like Cloudflare to conceal their activities and illustrates the use of Validin for uncovering additional phishing domains linked to this campaign. Affected: toll services, financial sector, users’ personal data
Keypoints :
- The FBI issued a warning about a smishing scam related to toll payment services.
- Fraudulent messages mimic legitimate communications from toll services.
- The scam uses a fake website to collect sensitive user information.
- Cloudflare is utilized by the threat actors to disguise their actual hosting environment.
- Validin is employed to discover and track phishing domains associated with this scam.
- Numerous similar domain names linked to the campaign were uncovered through a lookalike search.
- Some identified domains have recently resolved to non-Cloudflare IP addresses, indicating potential phishing activity.
- The article stresses the importance of proactive threat intelligence using tools like Validin.
MITRE Techniques :
- Credential Dumping (T1003): The threat actor may attempt to collect user credentials through fraudulent forms on phishing websites.
- Phishing (T1566): The campaign utilizes smishing tactics to deceive victims into providing sensitive information.
- Domain Generation Algorithm (T1483): The use of multiple lookalike domains suggests automated generation to evade detection.
- Command and Control (T1071): Indicators of non-Cloudflare IP addresses suggest that some domains may connect back to the threat actor’s server for control.
Indicator of Compromise :
- [Domain] myturnpiketollservices.com
- [Domain] floridasunpass-toll.com
- [Domain] tollwayservices.com
- [IP Address] 94.232.247.104
- [IP Address] 193.233.203.34
Full Story: https://www.validin.com/blog/hunting-for-unpaid-toll-phishing-campaigns-with-validin/