Cybersecurity researchers have warned of a “wide and continuous” SMS phishing campaign since mid-October 2024 that has been targeting US toll road users for financial theft.
“The toll road smishing attacks are being carried out by multiple financially motivated threat actors using the Smishing Kit developed by “Wang Duo Yu”, Cisco Talos researchers Azim Khodjibaev, Chetan Raghuprasad and Joey Chen.
A phishing campaign, for each company, impersonates a US electronic fee collection system such as E-ZPass, sends SMS messages and Apple Imessages to individuals in Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, Kansas, and clicks on fake links sent in the chat.
It is worth noting that in January 2025, several aspects of the fee phishing campaign were previously highlighted by security journalist Brian Krebs. The activity dates back to a China-based SMS phishing service called Lighthouse, advertised on Telegram.
Apple Imessage automatically disables links for messages received from unknown senders, but Smishing text encourages recipients to respond with “Y” to activate links, a tactic observed in phishing kits such as Darcula and Xiūgǒu.
If the victim clicks a link to access the domain, they will be asked to resolve the fake image-based Captcha challenge. You will then be redirected to the fake E-ZPass page (“ezp-va(.lcom” or “e-zpass(.)com-etcjr(.)com-etcjr(.)xin”).
The target is then asked to go further and make a payment on another fraudulent page. At that point, all entered personal and financial information will be sucked up by the threat actor.
Talos noted that multiple threat actors are likely to utilize the phishing kit developed by Wang Duo Yu, which has led to a similar Smishing kit being observed in use by another Chinese organized cybercrime group known as Smishing Triad.
Interestingly, Wang Duo Yu is said to be the creator of the phishing kit used by Smishing Triad, according to security researcher Grant Smith. “The creator is a current computer science student in China and uses the skills he is learning to make quite a penny on the side,” Smith revealed in an extensive analysis in August 2024.
Smishing Triad is known for carrying out a massive smishing attack targeting postal services in at least 121 countries, using failed package delivery lures to share message recipients and clicking fake links requesting personal and financial information under the guise of RedLeilivery’s expected service fees.
Additionally, threat actors using these kits attempted to register victim card details in their mobile wallets and used a technique known as Ghost Tap to allow them to further cash their funds at scale.
The phishing kit is known to be backed by the fact that the captured credit/debit card information is also extracted by creators, a technique known as double theft.
“Wang Duo Yu creates and designs specific smishing kits and sells access to these kits through telegram channels,” Talos said. “The kit offers a variety of infrastructure options, with full feature developments priced at $50 each, proxy development (if the customer has a personal domain and server), $20 for version updates and $20 for all other support.”
As of March 2025, the e-crime group is believed to be focusing their efforts on new lighthouse fishing kits aimed at harvesting qualifications from banks and financial institutions in Australia and Asia-Pacific, according to Silent Push.
Threat officials also claim they have “over 300 front desk staff” to support various aspects of the fraud and cash-out schemes associated with phishing kits.
“Smishing Triad sells phishing kits to other malicious threat actors through Telegram and possibly other channels,” the company said. “These sales make it difficult to attribute kits to any subgroup, so now all sites belong here under the Smithing Triad umbrella.”
In a report released last month, Prodaft revealed that Lighthouse shares tactical overlap with phishing kits such as Lucid and Darcula, and operates independently of Xinxin Group, the cybercriminal group behind the Lucid kit. The Swiss Cybersecurity Company tracks Wang Duo Yu (aka Lao Wang) as the Larva-241.
“An analysis of the attacks carried out using the Mid and Dacula panels revealed that the Lighthouse (Laowan/Wan Duo Yu) shares important similarities with the Xinxin group in terms of targeting, landing pages and domain creation patterns,” Prodaft said.
The return of the cybersecurity company was the first to record the Smithing Triad in 2023, saying it also tracks fraudulent toll campaigns. The Smithing Syndicate uses more than 60,000 domain names, and said it would be difficult for Apple and Google to block fraudulent activities in an effective way.
“With underground bulk SMS services, cybercriminals can scale their operations and target millions of users simultaneously,” Resecurity said. “These services allow attackers to efficiently send thousands or millions of fraudulent IM messages, targeting users or groups of users individually based on specific demographics in different regions.”
