Report says your money and identity are at risk from the next wave of smishing attacks on your phone
Last month we told you that the FBI issued an alert detailing a serious scam that was moving from state to state. Victims would receive a bogus text (through a practice called 'smishing') stating that they owed money for unpaid road tolls. As with any smishing attack, the scammers try to put pressure on you to take the actions they want you to take. In this case, the text threatens additional fines if you don't pay the unpaid amount immediately. The goal is to get you to pay the amount due by opening a page that allows you to enter your banking account or credit card information to make such payments.
I've recently been the recipient of several such texts and just deleted them immediately. After all, if you were to give the scammers the info they want, not only could they get into your bank account or take over your credit card account and wipe you out, the attackers could even steal your identity as the information they ask for includes your Driver's License number.
Bad actors have registered 10,000 domain names in preparation for the next wave of attacks
The FBI noted in its original alert that iPhone and Android users should delete any smishing texts received. A new report from Palo Alto Networks' Unit 42 dated March 6th says that a threat actor has registered over 10,000 domain names which will be used on new attacks. The new texts are written to get victims to reveal personal and financial information including credit card, debit card, and banking account information.
A threat actor leveraging the same naming pattern has registered 10K+ domains for various #smishing scams. They pose as toll services for US states and package delivery services. Root domain names start with "com-" as a way to trick victims. More info at https://t.co/drBEuvGoJjpic.twitter.com/7CBkvwYWxo
— Unit 42 (@Unit42_Intel) March 7, 2025
The original attacks used bogus texts demanding payments for fake unpaid road toll balances be made to phony state-specific toll agencies. Based on some of the new domain names registered by the threat actor, it would appear that new attacks will add texts related to delivery services to pressure you into making payments for charges you don't owe. At the same time, while making these payments, the threat actor is hoping you will reveal banking and credit card info along with personal identification numbers.
To reiterate, armed with this info, attackers can get into your bank account and wipe you out, run through your credit cards, and steal your identity. Besides the toll scam, watch out for bogus texts pretending to be from delivery companies stating that you have a package but it can't be delivered unless you pay a small amount for delivery charges.
The new attacks have been seen in 10 U.S. states and one Canadian province including California, Florida, Illinois, Kansas, Massachusetts, Pennsylvania, New Jersey, New York, Texas, Virginia, and the Canadian province of Ontario.
Watch out for these domain names
There is one important thing to note. The smishing texts come from email addresses or phone numbers. Because iMessage does not allow links, scam texts on that platform will ask you to reply "Y" and reopen the text. If you do this, it will allow the attackers to include links on texts sent to you through iMessage.
Here are some examples of domain names that are being used with this campaign:
- dhl.com-new[.]xin
- - driveks.com-jds[.]xin
- - ezdrive.com-2h98[.]xin
- - ezdrivema.com-citations-etc[.]xin
- - ezdrivema.com-securetta[.]xin
- - e-zpassiag.com-courtfees[.]xin
- - e-zpassny.com-ticketd[.]xin
- - fedex.com-fedexl[.]xin
- - getipass.com-tickeuz[.]xin
- - sunpass.com-ticketap[.]xin
- - thetollroads.com-fastrakeu[.]xin
- - usps.com-tracking-helpsomg[.]xin
You should be wary of any text you receive these days. Texts that mention one of these domain names should be deleted immediately.
FCC OKs Cingular\'s purchase of AT&T Wireless
Things that are NOT allowed: