Date: 04/15/2025
Severity: High
Summary
Since mid-October 2024, ongoing smishing campaigns have impersonated U.S. toll road payment services like E-ZPass in an effort to commit financial fraud. Attackers have targeted individuals across at least eight U.S. states—including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas—using spoofed domains with state abbreviations embedded in the URLs. Victims receive SMS messages claiming they owe a small toll balance (under $5) and are urged to pay promptly to avoid late fees. These messages redirect users to phishing sites designed to steal payment information.
Indicators of Compromise (IOC) List
Domains \ URLs : | wa-gtg.com goodtogo-wa.com wagood-togo.com gtgwa.com mygood-2go.com tollwa.com wagtg.com ws-gtg.com ws-dot.com fl-road.com fl-pass.com pass-fl.com tx-account.com tx-road.com oh-route.com link-pa.com lane-pa.com plate-pa.com gov-pa.com pa-plate.com ilroad.com iltolls.com va-route.com ezp-va.com va-toll.com toll-va.com va-ez.com va-lane.com ks-lane.com ks-drive.com lane-ks.com e-zpass.com-etcjr.xin e-zpassny.com-etkh.xin e-zpass.vipsm.xin e-zpass.vipss.xin txtag.vipnd.top txtag.vipnu.top txtag.vipso.top txtag.vipsf.top |
IP Address : | 82.147.88.22 45.152.115.161 43.156.47.209 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains \ URLs : | domainname like "ks-drive.com" or url like "ks-drive.com" or siteurl like "ks-drive.com" or domainname like "wagtg.com" or url like "wagtg.com" or siteurl like "wagtg.com" or domainname like "fl-road.com" or url like "fl-road.com" or siteurl like "fl-road.com" or domainname like "va-toll.com" or url like "va-toll.com" or siteurl like "va-toll.com" or domainname like "goodtogo-wa.com" or url like "goodtogo-wa.com" or siteurl like "goodtogo-wa.com" or domainname like "va-lane.com" or url like "va-lane.com" or siteurl like "va-lane.com" or domainname like "gov-pa.com" or url like "gov-pa.com" or siteurl like "gov-pa.com" or domainname like "va-ez.com" or url like "va-ez.com" or siteurl like "va-ez.com" or domainname like "txtag.vipnd.top" or url like "txtag.vipnd.top" or siteurl like "txtag.vipnd.top" or domainname like "plate-pa.com" or url like "plate-pa.com" or siteurl like "plate-pa.com" or domainname like "ws-gtg.com" or url like "ws-gtg.com" or siteurl like "ws-gtg.com" or domainname like "pass-fl.com" or url like "pass-fl.com" or siteurl like "pass-fl.com" or domainname like "va-route.com" or url like "va-route.com" or siteurl like "va-route.com" or domainname like "tx-account.com" or url like "tx-account.com" or siteurl like "tx-account.com" or domainname like "gtgwa.com" or url like "gtgwa.com" or siteurl like "gtgwa.com" or domainname like "wa-gtg.com" or url like "wa-gtg.com" or siteurl like "wa-gtg.com" or domainname like "link-pa.com" or url like "link-pa.com" or siteurl like "link-pa.com" or domainname like "txtag.vipsf.top" or url like "txtag.vipsf.top" or siteurl like "txtag.vipsf.top" or domainname like "ezp-va.com" or url like "ezp-va.com" or siteurl like "ezp-va.com" or domainname like "mygood-2go.com" or url like "mygood-2go.com" or siteurl like "mygood-2go.com" or domainname like "e-zpassny.com-etkh.xin" or url like "e-zpassny.com-etkh.xin" or siteurl like "e-zpassny.com-etkh.xin" or domainname like "lane-pa.com" or url like "lane-pa.com" or siteurl like "lane-pa.com" or domainname like "tollwa.com" or url like "tollwa.com" or siteurl like "tollwa.com" or domainname like "fl-pass.com" or url like "fl-pass.com" or siteurl like "fl-pass.com" or domainname like "ks-lane.com" or url like "ks-lane.com" or siteurl like "ks-lane.com" or domainname like "wagood-togo.com" or url like "wagood-togo.com" or siteurl like "wagood-togo.com" or domainname like "e-zpass.vipss.xin" or url like "e-zpass.vipss.xin" or siteurl like "e-zpass.vipss.xin" or domainname like "iltolls.com" or url like "iltolls.com" or siteurl like "iltolls.com" or domainname like "e-zpass.vipsm.xin" or url like "e-zpass.vipsm.xin" or siteurl like "e-zpass.vipsm.xin" or domainname like "ws-dot.com" or url like "ws-dot.com" or siteurl like "ws-dot.com" or domainname like "tx-road.com" or url like "tx-road.com" or siteurl like "tx-road.com" or domainname like "oh-route.com" or url like "oh-route.com" or siteurl like "oh-route.com" or domainname like "pa-plate.com" or url like "pa-plate.com" or siteurl like "pa-plate.com" or domainname like "ilroad.com" or url like "ilroad.com" or siteurl like "ilroad.com" or domainname like "toll-va.com" or url like "toll-va.com" or siteurl like "toll-va.com" or domainname like "lane-ks.com" or url like "lane-ks.com" or siteurl like "lane-ks.com" or domainname like "e-zpass.com-etcjr.xin" or url like "e-zpass.com-etcjr.xin" or siteurl like "e-zpass.com-etcjr.xin" or domainname like "txtag.vipnu.top" or url like "txtag.vipnu.top" or siteurl like "txtag.vipnu.top" or domainname like "txtag.vipso.top" or url like "txtag.vipso.top" or siteurl like "txtag.vipso.top" |
IP Address : | dstipaddress IN ("45.152.115.161","82.147.88.22","43.156.47.209") or srcipaddress IN ("45.152.115.161","82.147.88.22","43.156.47.209") |
Reference:
https://blog.talosintelligence.com/unraveling-the-us-toll-road-smishing-scams/