Republished on March 11th with details of new state by state warnings and government advice for anyone receiving these dangerous texts.
The FBI warns a threat moving across America “from state to state” targets citizens via malicious SMS (smishing) texts, teling iPhone, Android users to “delete any smishing texts received.” Now cybercriminals have registered “over 10,000 domains” to fuel a new wave of attacks. These new texts are easy to detect — delete them right away.
The new report comes via Palo Alto Networks’ Unit 42. The new campaign, it says, “entices users to reveal personal and/or financial information, including credit or debit card and account information.” The original threat focuses on toll scams, with state-specific payment links; the new set of domains adds delivery services into the mix.
The toll scam has been generating headlines in recent months, with rarely a week passing by without a new report from state or local media somewhere in America. The FTC warns that “not only is the scammer trying to steal your money, but if you click the link, they could get your personal info and even steal your identity.”
All the smishing texts follow a similar pattern. You have an unpaid bill and need to pay it urgently to avoid higher costs or worse. There is a link to the payment site — which is where the new domains come into play. Given iMessage blocks such links, the texts include instructions to either reply or copy the link into Safari to make payment.
The toll scam is franchised out to local operators, but it all seems to leverage a toolkit built by Chinese cybercrime groups. Little surprise maybe that the example root domains and fully qualified domain names shared by Unit 42 all share the Chinese .XIN TLD. You can easily see how these domain names are crafted to entice a click:
- dhl.com-new[.]xin
- driveks.com-jds[.]xin
- ezdrive.com-2h98[.]xin
- ezdrivema.com-citations-etc[.]xin
- ezdrivema.com-securetta[.]xin
- e-zpassiag.com-courtfees[.]xin
- e-zpassny.com-ticketd[.]xin
- fedex.com-fedexl[.]xin
- getipass.com-tickeuz[.]xin
- sunpass.com-ticketap[.]xin
- thetollroads.com-fastrakeu[.]xin
- usps.com-tracking-helpsomg[.]xin
This list is not exhaustive, but it will help you flag threats. It also goes without saying that any U.S. toll payment platform or major delivery service is not going to redirect you to a Chinese domain from a link within a text, even where there’s a “.COM” earlier in the string. But even if the link does not have a telltale Chinese TLD, you should not click through from a text. As the bureau says, “check your account using the toll service’s legitimate website [or] contact the toll service’s customer service phone number.”
Per Bleeping Computer, toll payment scam campaigns continue to spread, making it quite clear why so many new domains are required. “A massive wave of phishing text messages has caused numerous cities throughout the US to issue warnings, including from Annapolis, Boston, Greenwich, Denver, Detroit, Houston, Milwaukee, Salt Lake City, Charlotte, San Diego, San Francisco, and many others.”
In addition to the top-level domain, Bleeping Computer also noticed in a text they received in New York “a tell-tale sign that this is a scam, as the dollar sign is displayed after the amount, rather than before, as is customary in the U.S. This further indicates that the phishing scam was created by people outside of the U.S.”
McAfee has now issued its own warning, highlighting the cities most targeted by these scams. “Look both ways for a new form of scam that’s on the rise, especially if you live in Dallas, Atlanta, Los Angeles, Chicago, or Orlando — fake toll road scams. They’re the top five cities getting targeted by scammers.”
The team reports “a major uptick in them over the past few weeks; fake toll road scams have nearly quadrupled at the end of February compared to where they were in January.” Their full list of most targeted cities is here:
- “Dallas, Texas
- Atlanta, Georgia
- Los Angeles, California
- Chicago, Illinois
- Orlando, Florida
- Miami, Florida
- San Antonio, Texas
- Las Vegas, Nevada
- Houston, Texas
- Denver, Colorado
- San Diego, California
- Phoenix, Arizona
- Seattle, Washington
- Indianapolis, Indiana
- Boardman, Ohio”
These unpaid toll scam warnings are fast becoming a daily occurrence, prompting Louisiana Attorney General Liz Murrill to issue a direct message to citizens in the state, after being targeted herself. “I received this text as well. It is a scam. If you ever receive a text that looks suspicious, be sure to never click on it. You don’t want your private information stolen by scammers,” she warned.
Just as with the report from Unit 42, state officials advise that the link included in the message is a telltale danger sign, illustrating why carefully selected domains are critical to the attacks.“Web addresses that come from the scammers will include a hyphen in the address, such as geauxpass-la.com or one that is misspelled by one letter such as leaving out an ‘X’ in GeauxPass. The wrong web addresses are https//geaupass.net or https://geauxpass-la.com. The correct web address to access your GeauxPass account and to contact the customer service team is www.geauxpass.com.”
Meanwhile in Detroit, one news outlet decided to put feelers out across the city to check how viral a scam this scam had become locally. “Has your phone been blowing up with texts about unpaid toll bills? Mine sure has, and the same is true for many of us at 7 News Detroit. I decided to ask about it on the WXYZ Facebook page, and we got more than 4,300 comments from people across Michigan and others out of state.”
The new team warns of a nasty new trick being deployed by the attackers; when one local woman “tried to pay using her debit card, [she] got a pop-up indicating the card was denied. That’s the trick! The scammers want you to keep trying different cards, so they have those numbers to use themselves.”
Other warnings this week gave come from Virgina and Maryland, Indiana, North Carolina, Georgia and Ohio.
The FBI’s advice for anyone falling foul to these scams is very simple:
- “File a complaint with the IC3, www.ic3.gov, [and include] the phone number from where the text originated [and] the website listed within the text
- Check your account using the toll service’s legitimate website.
- Contact the toll service’s customer service phone number.
- Delete any smishing texts received.
- If you clicked any link or provided your information, take efforts to secure your personal information and financial accounts. Dispute any unfamiliar charges.”
The FTC advices broadly the same:
- Don’t click on any links in, or respond to, unexpected texts. Scammers want you to react quickly, but it’s best to stop and check it out.
- Check to see if the text is legit. Reach out to the state’s tolling agency using a phone number or website you know is real — not the info from the text.
- Report and delete unwanted text messages. Use your phone’s “report junk” option to report unwanted texts to your messaging app or forward them to 7726 (SPAM). Once you’ve checked it out and reported it, delete the text.”
Zimperium has just warned that cybercriminals are moving to a “mobile-first attack strategy,” because you are more vulnerable on small screen devices. It’s easy to see why that’s the case, and why you’re more likely to click on a text than an email — don’t.
