A classy phishing marketing campaign emerged in Might 2025, concentrating on U.S. residents via a coordinated impersonation of state Division of Motor Autos (DMV) businesses.
This massive-scale operation utilized SMS phishing strategies mixed with misleading net infrastructure to reap private and monetary data from unsuspecting victims throughout a number of states.
The attackers employed alarming messages about unpaid toll violations, directing recipients to fraudulent DMV web sites that prompted quick cost of nominal fines to resolve fictitious authorized points.
The marketing campaign’s main assault vector concerned SMS messages despatched from spoofed telephone numbers, many traced to origins within the Philippines, with senders leveraging refined spoofing strategies to reinforce legitimacy.
Spoofed SMS (Supply – Verify Level)
Victims acquired threatening messages citing fabricated authorized codes reminiscent of “[State-Name] Administrative Code 15C-16.003” and warnings of license suspension or authorized penalties if quick motion was not taken.
These messages directed customers to click on malicious hyperlinks resulting in state-themed phishing web sites designed to gather in depth private data and bank card credentials beneath the guise of identification verification.
Phishing Web site (Supply – Verify Level)
Verify Level researchers famous that the marketing campaign demonstrated exceptional technical sophistication and scale, with the FBI’s Web Crime Grievance Middle receiving over 2,000 associated complaints inside a single month.
The operation’s widespread influence prompted official alerts from a number of states together with New York, New Jersey, Pennsylvania, Florida, Texas, and California, whereas nationwide media retailers together with CBS Information, Fox Information, The New York Put up, and Time Journal offered in depth protection to boost public consciousness.
Infrastructure Evaluation and Attribution
Technical evaluation revealed a extremely structured phishing operation using shared infrastructure and constant patterns throughout all malicious domains.
Registered phishing domains (Supply – Verify Level)
The attackers employed a predictable area construction following the sample https://[state_ID]dmv.gov-[4-letter-string].cfd/pay, with most domains hosted on the malicious IP tackle 49.51.75.162.
Evaluation uncovered six HTML information mapped to totally different states, every with distinctive hash signatures together with Pennsylvania (5c7b246ec5b654c6ba0c86c89ba5cbaa61d68536efc32) and California (5df0fcc2b6b3d3e52fb635c0b7bac41d27b5b75cbfeb1).
Cloned DMV pages used predictable TLDs (Supply – Verify Level)
The marketing campaign utilized uniform DNS infrastructure with all domains pointing to alidns.com and dns8.alidns.com identify servers, whereas the SOA contact tackle persistently confirmed [email protected].
DOM evaluation revealed every phishing web site contained an identical static belongings together with JavaScript information (C18UmYZN.js, fliceXIj.js), CSS information (C0Zfn5GX.css), and picture belongings (BHcjXi3x.gif, BkBiYrmZ.svg).
The reuse of those belongings throughout domains strongly indicated using a centralized phishing package often called “Lighthouse,” beforehand utilized in opposition to U.S. DMVs, with Chinese language-language feedback in supply code reinforcing attribution to a China-based risk actor.
Are you from SOC/DFIR Groups! – Work together with malware within the sandbox and discover associated IOCs. – Request 14-day free tria
