Researchers in security are warning of a “widespread and continuous” SMS hacking strategy that has been attempting to defraud toll road users in the United States since mid-October 2024.
According to Cisco Talos experts Azim Khodjibaev, Chetan Raghuprasad, and Joey Chen,” The toll road smishing problems are being carried out by a number of financially motivated risk players using the smishing system developed by” Wang Duo Yu.”
According to the company, the hacking attempts involve impersonating U.S. digital burden set systems like E-ZPass, sending SMS and Apple iMessages to people in Washington, Florida, Virginia, Texas, Ohio, Illinois, and Kansas about an unpaid burden and clicking on a false link sent in the chat.
Security journalist Brian Krebs previously covered the toll phishing campaign, which was linked to a China-based SMS phishing service called Lighthouse, which was promoted on Telegram.
While Apple iMessage automatically disables links in messages sent from people who are not known to senders, the smishing texts ask recipients to respond with” Y” in order to activate the link, a tactic that is seen in phishing kits like and Xi gu.
When a victim clicks on the link and visits the domain, they are asked to complete a fake image-based CAPTCHA challenge and then redirected to a fake E-ZPass page ( such as “ezp-va [. lcom” or “e-zpass [. ] com-etcjr [. ] xin” ) where they are asked to provide their name and ZIP code to access the bill.
Targets are then instructed to proceed further by making the payment on a different phony website, after which the threat actors receive all the personal and financial information that has been entered.
Talos noted that several threat actors are using a phishing kit developed by Wang Duo Yu to carry out the toll road smishing campaigns, and that it has seen similar smishing kits being used by another Chinese-organized cybercrime group known as the Smishing Triad.
According to security researcher Grant Smith, Wang Duo Yu is also alleged to be the inventor of the phishing kits used by Smishing Triad. In an from August 2024, Smith revealed that the creator is a current computer science student in China who is using the skills he is learning to earn a good living on the side.
Smishing Triad is for carrying out against postal services in at least 121 nations, using failed package delivery lures to entice message recipients into clicking fictitious links that ask for their personal and financial information under the guise of a sworn service fee for redelivery.
Threat actors who are using these kits have also to use a method known as to allow victims to cash out their funds at a larger scale by using their card details to a mobile wallet.
The phishing kits have also been found to be backdoored because they also allow the creators to use a technique known as , which allows the captured credit/debit card information to be eluded.
Wang Duo Yu, Talos said, has been selling access to these kits on their Telegram channels. He said,” Wang Duo Yu has crafted and designed specific smishing kits.” The kits come with a variety of infrastructure options, starting at US$ 50 for full-feature development,$ 30 for proxy development ( when the customer has a personal domain and server ),$ 20 for version updates, and$ 20 for all other miscellaneous support.
According to Silent Push, the e-crime group is believed to have concentrated their efforts on a new Lighthouse phishing kit that’s designed to collect credentials from banks and financial institutions in Australia and the Asia-Pacific region as of March 2025.
The threat actors also assert that they have” 300+ front desk staff around the world” to help with various aspects of the cash-out and fraud schemes linked to the phishing kit.
The business also sells phishing kits to other maliciously aligned threat actors via Telegram and likely other channels, according to the company. Because of these sales, it’s difficult to categorize the kits under the Smishing Triad umbrella.
According to a report released last month, PRODAFT that Lighthouse operates independently of the XinXin group, the cybercrime organization behind the Lucid kit, and shares tactical overlaps with phishing kits like Lucid and Darcula. Wang Duo Yu ( also known as Lao Wang ) is being tracked by the Swiss cybersecurity firm as LARVA-241.
According to PRODAFT,” An analysis of attacks conducted using the Lucid and Darcula panels revealed that Lighthouse ( Lao Wang/Wang Duo Yu ) shares significant similarities with the XinXin group in terms of targeting, landing pages, and domain creation patterns.”
Resecurity, a cybersecurity firm that first documented the in 2023 and has been tracking the scam toll campaigns, reported that the smishing syndicate had used over 60, 000 domain names, making it difficult for Apple and Google to effectively stop the fraudulent activity.
According to Resecurity, using underground bulk SMS services enables cybercriminals to expand their operations and target millions of users at once. ” These services enable attackers to send thousands or millions of fraudulent IM messages to users individually or as groups of users based on particular demographics across various regions,” the statement says.