New SMS Phishing Attack Weaponizes Google AMP Links to Evade Detection

Group-IB’s High-Tech Crime Trends Report 2025 reveals a sharp 22% surge in phishing websites, with over 80,000 detected in 2024.

Among the most concerning discoveries is a sophisticated SMS phishing campaign targeting users of a toll road service provider, active since late 2023.

This operation, uncovered by Group-IB researchers, employs advanced technical strategies to deceive victims and evade detection, including the misuse of Google Accelerated Mobile Pages (AMP) links and third-party JavaScript libraries.

The campaign’s reliance on trusted platforms and intricate evasion mechanisms underscores the growing complexity of phishing threats in 2025.

Sophisticated Campaign Targets Toll Road Users

The attack begins with fraudulent SMS messages impersonating the toll road provider, often spoofing local or integrnational numbers to appear legitimate.

These messages create urgency by warning of overdue toll fees and impending penalties, prompting victims to click malicious links.

Rather than direct phishing URLs, cybercriminals use multi-layered redirections through Google AMP, a platform optimized for mobile browsing.

By cloaking malicious links within legitimate domains and leveraging users’ trust in Google’s services, attackers bypass traditional security filters that rely on domain reputation.

Once clicked, victims land on a near-perfect replica of the official toll service portal, designed to harvest personal and payment data, including names, addresses, and credit card details.

Advanced Evasion Tactics Leverage Trusted Services

What sets this campaign apart technically is its use of third-party JavaScript libraries like FingerprintJS and Cleave.js for evasion and data validation.

FingerprintJS enables browser fingerprinting, collecting unique device and browser data to restrict access to targeted victims while blocking researchers and automated scanners like VirusTotal through custom backend authorization checks.

For instance, access is denied if a VPN or datacenter IP is detected, ensuring only intended victims see the phishing content.

Meanwhile, Cleave.js formats input fields for credit card numbers and personal information in real-time, using algorithms like Luhn validation to ensure data accuracy before exfiltration.

This dual-purpose approach not only enhances the scam’s credibility but also complicates analysis by security tools.

Further deepening the deception, Group-IB’s analysis via their Unified Risk Platform (URP) and patented Graph technology revealed interconnected phishing domains linked through temporary email addresses in DNS records.

The campaign also exploits SMS pumping abuse, utilizing misconfigured gateways to automate bulk messaging, often localized in French to target specific Canadian regions.

Continuous data logging, facilitated by heartbeat functions, sends user interactions to the attackers’ backend every few seconds, ensuring real-time tracking of victim inputs.

This evolving threat landscape, as Group-IB warns, demands heightened vigilance.

Users are urged to scrutinize URLs, verify domain legitimacy, and avoid unsolicited links, while companies must adopt proactive Threat Intelligence and Digital Risk Protection solutions to combat brand abuse.

The abuse of trusted services like Google AMP signals a dangerous shift in phishing tactics, making it clear that both technical defenses and user awareness are critical to countering these elusive cyber threats.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!