DMV-Style Phishing Scams Target U.S. Citizens to Harvest Sensitive Information

A highly coordinated phishing campaign surfaced, targeting U.S. citizens by impersonating various state Departments of Motor Vehicles (DMVs).

This widespread attack utilized SMS phishing, or “smishing,” as its primary delivery vector, bombarding victims with alarming text messages about fictitious unpaid toll violations.

These messages, often spoofed to appear as originating from local DMV numbers traced to sources in the Philippines, threatened license suspension or legal action, citing fabricated legal codes like “[State-Name] Administrative Code 15C-16.003” to enhance credibility.

Smishing Campaign Impersonates State Agencies

Victims were urged to click on malicious links leading to counterfeit DMV websites, meticulously themed to match their respective states, where they were prompted to pay a nominal fee of $6.99 and submit extensive personal information, including full names, addresses, and credit card details, under the guise of identity verification.

Technical analysis of this campaign uncovered a highly structured operation with clear indicators of a centralized phishing kit dubbed “Lighthouse,” previously linked to similar DMV-targeted attacks.

The malicious domains followed a consistent naming convention, such as https://[state_ID]dmv.gov-[4-letter-string].cfd/pay, and were often hosted on known malicious IPs like 49.51.75.162, with cloned pages for states including California, Texas, and New York sharing identical HTML file signatures.

Technical Insights Reveal China-Linked Infrastructure

Infrastructure analysis revealed uniform DNS configurations using Chinese name servers (alidns.com) and an SOA contact email tied to Chinese domain operations, alongside Chinese-language comments in the source code.

Web asset fingerprinting further confirmed the reuse of static files like C18UmYZN.js and state-specific logos across domains, pointing to a pre-packaged phishing kit designed for rapid deployment.

These elements, combined with hosting patterns mirroring low-cost, high-volume phishing-as-a-service models often advertised on Chinese cybercrime forums, strongly suggest attribution to a China-based threat actor.

The campaign’s scale was staggering, with thousands of newly registered domains and over 2,000 complaints reported to the FBI’s Internet Crime Complaint Center (IC3) in a single month, underscoring its devastating reach.

National media outlets, including CBS News and The New York Post, amplified public awareness, while states like Florida and Pennsylvania issued urgent advisories against interacting with unsolicited toll violation messages.

According to Check Point research Report, this multi-state attack has prompted a robust response from federal authorities, cybersecurity vendors, and telecom providers, who are collaborating to neutralize active infrastructure, enhance SMS filtering, and educate the public.

Threat intelligence bulletins detailing domain patterns and phishing kit artifacts have been disseminated to law enforcement, highlighting the critical need for proactive defense against such sophisticated scams.

As the campaign’s impact continues to unfold, the reuse of shared infrastructure and the believability of the low-cost transaction model serve as a stark reminder of the evolving tactics employed by cybercriminals to exploit trust in government institutions.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates