Beware of Fake Unpaid Toll Message Attack to Steal Login Credentials

Security analysts note that these toll scam campaigns achieve approximately 5% success rates – substantially higher than traditional email phishing attacks – demonstrating the effectiveness of this multi-stage approach that combines SMS messaging with customized phishing domains. The fake unpaid toll message attack represents a significant evolution in phishing tactics, leveraging both psychological manipulation and technical sophistication to achieve unprecedented success rates. A deceptive phishing campaign targeting mobile users with fake unpaid toll notifications has intensified significantly in recent months, evolving into one of the most sophisticated SMS-based credential theft operations currently active. Censys researchers identified that once victims respond to these initial messages, attackers immediately deploy a second-stage attack by sending a link to a convincingly designed phishing domain. This platform enables even technically unsophisticated attackers to generate authentic-looking phishing domains and custom landing pages tailored to specific regional toll authorities. The technical sophistication of Lucid includes implementing verification mechanisms that block connections from IP addresses outside targeted regions and prevent security researchers from accessing the domains directly instead of through the designated shortened URLs. Unlike conventional phishing attempts, these messages contain no active links initially – instead, they instruct recipients to reply directly to the message, creating a false sense of legitimacy and bypassing standard phishing detection methods. The attack begins when unsuspecting victims receive text messages claiming they have unpaid toll violations that require immediate attention. At the core of this operation lies “Lucid,” a comprehensive Phishing-as-a-Service (PhaaS) platform that provides cybercriminals with turnkey solutions for launching sophisticated phishing campaigns. As this threat continues to evolve, users should treat any unexpected toll violation messages with extreme caution, verifying directly with official toll authorities through independently obtained contact information rather than responding to unsolicited messages. This platform represents part of a growing ecosystem of similar services, including Lighthouse, Darcula, EvilProxy, and W3II, all designed to democratize phishing capabilities among criminal actors. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This scheme represents a tactical shift in phishing methodology, moving away from traditional package delivery impersonation to exploit financial anxiety around supposed driving infractions. These domains mimic official toll collection agencies with remarkable accuracy, even incorporating regional visual elements based on the victim’s location. The Censys team has tracked tens of thousands of these malicious domains, revealing an infrastructure predominantly hosted in China but targeting victims across numerous countries.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 04 Apr 2025 14:00:13 +0000


Cyber News related to Beware of Fake Unpaid Toll Message Attack to Steal Login Credentials

Beware of Fake Unpaid Toll Message Attack to Steal Login Credentials - Security analysts note that these toll scam campaigns achieve approximately 5% success rates – substantially higher than traditional email phishing attacks – demonstrating the effectiveness of this multi-stage approach that combines SMS messaging ...
1 month ago Cybersecuritynews.com
Beware of $5 SMS Phishing Attack Targeting Toll Road Users - A widespread and ongoing SMS phishing (smishing) campaign targeting toll road users across the United States has been identified, posing a significant threat to motorists’ financial security. Since mid-October 2024, cybercriminals have been ...
1 month ago Cybersecuritynews.com
US cities warn of wave of unpaid parking phishing texts - While parking scams have been around for years, a massive wave of phishing text messages has caused numerous cities throughout the US to issue warnings, including from Annapolis, Boston, Greenwich, Denver, Detroit, ...
2 months ago Bleepingcomputer.com
How Kasada Counters Toll Fraud and Fake Account Creation for Enterprises - Toll fraud and fake account creation are two advanced threats that bad actors employ for massive profit. Fake Account Creation is committed by a wide range of attackers, through automating the generation of new user accounts en masse, which then get ...
1 year ago Securityboulevard.com
Threat Actors Leveraging Toll Payment Services in Massive Hacking Attack - The attackers have demonstrated remarkable sophistication in their ability to spoof official toll service communications, making it exceptionally difficult for average consumers to distinguish between legitimate messages and fraudulent ones. At the ...
1 month ago Cybersecuritynews.com
Credentials are Still King: Leaked Credentials, Data Breaches and Dark Web Markets - Infostealers infect computers, steal all of the credentials saved in the browser along with active session cookies and other data, then export it back to command and control infrastructure before, in some cases, self-terminating. This article will ...
1 year ago Bleepingcomputer.com
Fake browser updates spread updated WarmCookie malware - The latest campaign was discovered by researchers at Gen Threat Labs, who observed the WarmCookie backdoor being distributed as fake Google Chrome, Mozilla Firefox, Microsoft Edge, and Java updates. FakeUpdate is a cyberattack strategy used by a ...
7 months ago Bleepingcomputer.com
Fake LastPass password manager spotted on Apple's App Store - LastPass is warning that a fake copy of its app is being distributed on the Apple App Store, likely used as a phishing app to steal users' credentials. The fake app uses a similar name to the genuine app, a similar icon, and a red-themed interface ...
1 year ago Bleepingcomputer.com
CTM360 Tracks Global Surge in SMS-Based Reward and Toll Scams - PointyPhish – Sends fake SMS alerts about expiring reward points to banking, airline, and retail store customers, leading to phishing pages that steal full credit/debit card details. CTM360 detected thousands of these phishing sites across ...
1 month ago Bleepingcomputer.com
FBI Warns of Massive Toll Services Smishing Scam - The FBI has warned of a prolific new smishing campaign using road toll collection as a pretext to trick victims into handing over their personal information and money. A new Public Service Announcement claimed that the campaign has been ongoing since ...
1 year ago Infosecurity-magazine.com
Browser-in-the-Browser attacks target CS2 players' Steam accounts - A new phishing campaign targets Counter-Strike 2 players utilizing Browser-in-the-Browser (BitB) attacks that display a realistic window that mimics Steam's login page. Basically, this phishing technique creates fake browser windows within real ...
2 months ago Bleepingcomputer.com
Attack Vector vs Attack Surface: The Subtle Difference - Cybersecurity discussions about "Attack vectors" and "Attack surfaces" sometimes use these two terms interchangeably. This article guides you through the distinctions between attack vectors and attack surfaces to help you better understand the two ...
2 years ago Trendmicro.com
Fake and Stolen X Gold Accounts Flood Dark Web - A surge of fake or stolen X Gold accounts has been flooding marketplaces and forums both on the surface web and the dark web over the past year, according to CloudSEK. Threat actors have used multiple techniques to forge or steal X Gold accounts ...
1 year ago Infosecurity-magazine.com
Convincing LinkedIn 'Profiles' Target Saudi Workers for Information Leakage - Attackers have used hundreds of fake profiles on LinkedIn - many very convincing - to target professionals at companies in Saudi Arabia, not only for financial fraud, but to convince employees in specific roles to provide sensitive corporate ...
1 year ago Darkreading.com
Beware of Fake CAPTCHA Prompts That May Silently Install LummaStealer on Your Device - The attack specifically targets users of booking websites by presenting fake booking confirmation pages that require CAPTCHA verification to view document details. The Infection Chain Flow shows how the attack progresses from the initial visit to a ...
2 months ago Cybersecuritynews.com
Scammers Fake DocuSign Templates to Blackmail & Steal From Companies - Phishing emails mimicking DocuSign are rising, thanks to a thriving underground marketplace for fake templates and login credentials. Over the past month, researchers from Abnormal Security claim to have tracked a significant increase in phishing ...
1 year ago Darkreading.com
iClicker hack targeted students with malware via fake CAPTCHA - The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices. According to a security alert from the ...
2 weeks ago Bleepingcomputer.com
New Phishing Attack Using Browser-In-The-Browser Technique To Attack Gamers - This attack method creates a convincing fake browser pop-up window that tricks users into entering their Steam credentials, allowing cybercriminals to steal valuable gaming accounts and virtual items. Silent Push researchers noted this attack in ...
2 months ago Cybersecuritynews.com
New Clearfake Variant Leverages Fake reCAPTCHA To Trick Users Deliver Malicious PowerShell Code - The infection flow begins with injected JavaScript on compromised websites, which retrieves malicious code from blockchain smart contracts, ultimately leading to the display of fake security challenges. The latest variant, discovered in December ...
2 months ago Cybersecuritynews.com
ClickFake Interview - Lazarus Hackers Exploit Windows & macOS Users Fake Job Campaign - The ClickFake Interview campaign builds upon the tactics of Contagious Interview, which targeted software developers via fake job interviews conducted on platforms like LinkedIn or X (formerly Twitter). The Lazarus Group, a North Korean ...
2 months ago Cybersecuritynews.com Lazarus Group
GrassCall scam drains crypto wallets through fake web3 job interviews - A recent social engineering campaign targeted job seekers in the Web3 space with fake job interviews through a malicious "GrassCall" meeting app that installs information-stealing malware to steal cryptocurrency wallets. Users are tricked into ...
3 months ago Bleepingcomputer.com
GrassCall malware campaign drains crypto wallets via fake job interviews - A recent social engineering campaign targeted job seekers in the Web3 space with fake job interviews through a malicious "GrassCall" meeting app that installs information-stealing malware to steal cryptocurrency wallets. Users are tricked into ...
3 months ago Bleepingcomputer.com
Cybersecurity Weekly Recap: Key Updates on Attacks, Vulnerabilities, & Data Breaches - A critical flaw (CVE-2025-24813) in Apache Tomcat allows attackers to take control of servers or steal sensitive data via malicious file uploads. We’ll also review recent regulatory developments, such as the European Union’s General Data ...
1 month ago Cybersecuritynews.com CVE-2025-24813 Qilin
North Korean Hackers Use Fake Job Offers & Salary Bumps as Lure for Crypto Theft - Recent investigations have uncovered a massive operation carried out by North Korean hackers looking to steal cryptocurrency through fake job offers and salary bumps. According to recent reports, hackers have been able to trace the malicious ...
2 years ago Therecord.media
Fake 401K year-end statements used to steal corporate credentials - Threat actors are using communication about personal pension accounts plans in the U.S.), salary adjustments, and performance reports to steal company employees' credentials. Email security company Cofense warns that these attacks are becoming more ...
1 year ago Bleepingcomputer.com