Attacks are now surging
The latest FBI unpaid toll scam warnings in Las Vegas and Phoenix will leave millions of Americans asking why there appears to be no solution to these malicious texts. The bureau first warned about this smishing attack almost exactly a year ago, and yet the plague of malicious messages is now spiralling out of control with no signs of stopping.
Resecurity has just warned that the toll payment scam is undergoing a “massive fraud campaign expansion,” and that “the campaign has utilized over 60,000 domain names, making it difficult for platforms like Apple and Android to block fraudulent activity effectively.” A “significant spike” in Q1 has seen “millions of consumers targeted.”
“These attacks,” says Black Duck’s Thomas Richards, “are very complex and show deep technical capabilities at such scale. While attackers abuse encrypted communications to evade eavesdropping by the carriers, it should still set off alerts within the networks when a single phone number sends thousands of text messages to users outside their geographic area when they aren’t a registered short code or business.”
As I’ve reported before, this is not a nuisance scam chasing you for a few dollars. It is organized crime, a concerted attack that leverages a complex and extensive ecosystem built and operated out of China. The attackers don’t want your $4 or $5. They want to steal your credentials, your credit card details and maybe even your identity.
And according to SlashNext’s J Stephen Kowski, the Chinese gangs “have evolved from targeting toll road and shipping customers to directly attacking international financial institutions, using sophisticated smishing techniques that bypass traditional security measures. These attackers are enjoying remarkable success converting phished payment card data into mobile wallets from Apple and Google.”
The Smishing Triad group behind these attacks made its name pushing undelivered package messages through compromised iMessage accounts. But it’s now much wider. And it’s ongoing. In a new report, Talos warns that “as of March 2025, [we are]
still seeing new domains registered by the threat actors for the toll road scams.” And it shares details on the channels — mainly Telegram — used to sell these phishing kits.
In another new report this week, the threat hunters at Silent Push say they have “determined that portions of [Smishing Triad’s] infrastructure generated over one million page visits within a period of only 20 days, averaging 50,000 per day. Based on this data, we believe the actual number of messages sent may be significantly higher than the current public estimates of 100,000 SMS messages sent per day.”
Three weeks ago, the threat actors behind Smishing Triad started sharing a new “Lighthouse” phishing kit aimed at banks and financial institutions. This is an industrialized attack. “Smishing Triad boasts it has ‘300+ front desk staff worldwide’ supporting the Lighthouse kit,” as it “sells its phishing kits to other threat actors.”
Threat Stop warns that “we’ve long known that the group referred to as Smishing Triad has been operating on a massive scale, rotating thousands of malicious domains and spoofing major brands worldwide.” This is true, but Silent Push’s findings, that this now targets users in more than 120 countries and operates “tens of thousands of domains” has frightening implications for the scale of what comes next. A kit that targets your bank rather than a toll operator can do much more immediate damage to your finances.
As this threat is mapped, with details on the thousands of domains and hundreds of IP addresses, it will raise questions as to how best to cut this down. What it has done it highlighted the weakness in the openness of SMS/RCS/iMessage in a way that other messaging platforms are not — albeit they’re hit with smishing to a lesser extent.
Zimperium’s Kern Smith told me that “the latest wave of mobile SMS scams is a stark reminder that mobile devices and apps are uniquely vulnerable — and often under protected — against attackers,” while the new reports “show the continued investment by cybercriminals in targeting mobile users.”
The FBI’s warning is clear, whether a malicious text relates to road tolls, packages, banking transactions or anything else. Report the text and the number that sent it to www.ic3.gov, and then delete it from your phone.
