A sophisticated cybercriminal operation has emerged targeting toll payment services across multiple regions, with evidence suggesting this campaign will continue expanding globally.
The attack, characterized by highly convincing SMS phishing (smishing) messages, has already reached millions of consumers who use electronic toll collection systems.
These fraudulent messages create a false sense of urgency by claiming unpaid tolls or account issues that require immediate action, ultimately leading victims to fraudulent websites designed to steal personal and financial information.
.png
)
The campaign represents a significant evolution in smishing tactics, utilizing over 60,000 unique domain names to evade detection and blocking mechanisms.
Messages appear to originate from legitimate tolling agencies, complete with official-looking sender IDs and formatting that closely mimics authentic communications.
The attackers have demonstrated remarkable sophistication in their ability to spoof official toll service communications, making it exceptionally difficult for average consumers to distinguish between legitimate messages and fraudulent ones.
Resecurity researchers identified the operation as the work of “Smishing Triad,” a China-based threat actor group that has previously conducted similar campaigns against banking institutions and e-commerce platforms.
Their analysis revealed a significant spike in these activities at the beginning of Q1 2025, with evidence suggesting the infrastructure behind these attacks continues to grow in sophistication and scale.
The technical underpinnings of this campaign leverage underground bulk SMS services that allow for mass-scale message delivery with customized sender identification.
Many of the identified domain names were registered in the “.xin” top-level domain, which is managed out of Hong Kong, China.
Some malicious texts have been traced back to UK phone numbers, indicating the attackers are utilizing globally distributed infrastructure to conduct their operations.
What makes this campaign particularly dangerous is how it exploits the inherent trust users place in SMS communications compared to email.
Text messages typically have reduced spam protection mechanisms, and consumers are more likely to respond to urgent notifications that appear to come from legitimate services they actively use.
Inside the Underground SMS Infrastructure
At the center of this operation is an underground bulk SMS service identified as “Oak Tel” (also known as “Carrie SMS”), which provides cybercriminals with sophisticated tools to manage their smishing campaigns.
.webp)
The service, hosted at oaktel[.]com, offers web-based management interfaces, API access, and detailed statistics tracking for sent messages.
The Oak Tel panel allows attackers to configure various parameters for their smishing campaigns. The following configuration snippet demonstrates how attackers can dynamically generate content:-
$ SendiNG out avalable of
* supporis all kinds of traffic
$ Sends with customized SID [|D]
# It Comes with leads
# supports all contents
\ Sends to all countries
$ Hit Inbox.webp)
The service enables attackers to precisely target victims while monitoring campaign effectiveness through comprehensive analytics dashboards.
For approximately $8.00, attackers can deploy 1,000 smishing messages to UK consumers, making this a highly cost-effective attack vector.
The platform provides mechanisms to track successful message delivery and failure rates, allowing cybercriminals to optimize their campaigns in real-time.
What makes detection particularly challenging is the ability to dynamically modify Sender IDs to impersonate legitimate organizations such as “US Postal Service” or “Chase Bank”.
This level of sender spoofing capability, combined with the ability to rapidly rotate through thousands of domains, creates a persistent threat that traditional security controls struggle to mitigate effectively.
Federal and state agencies have issued warnings about these scams, advising individuals to verify toll-related claims directly through official websites rather than responding to unsolicited messages.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
