DMV-Themed Phishing Attacks Targeting U.S. Citizens to Steal Sensitive Data

A sophisticated phishing campaign targeting American citizens has emerged, exploiting the trusted reputation of state Departments of Motor Vehicles to harvest sensitive personal and financial information.

In May 2025, cybercriminals launched a coordinated attack that impersonated multiple U.S. state DMVs, using deceptive SMS messages and fraudulent websites to trick victims into paying fictitious toll violations.

The campaign leveraged widespread SMS phishing techniques and carefully crafted web infrastructure to create a convincing facade of legitimacy, causing significant concern among cybersecurity professionals and government agencies alike.

The attack primarily utilized SMS messages sent from spoofed phone numbers, often appearing to originate from local DMV agencies, though many were traced back to the Philippines.

Victims received alarming notifications about unpaid toll violations, threatening license suspension or legal penalties if immediate action was not taken. These messages typically cited fictitious legal codes, such as specific state administrative codes, to enhance their credibility and urgency.

The psychological manipulation was particularly effective, as recipients feared potential legal consequences for what appeared to be minor traffic infractions.

Check Point researchers identified the campaign’s sophisticated nature through comprehensive technical analysis, revealing shared infrastructure and consistent attack patterns across multiple states.

The cybersecurity firm’s investigation uncovered that victims who clicked the malicious links were redirected to fake DMV landing pages themed to match their specific state.

These fraudulent websites prompted users to pay a small fee, typically $6.99, before redirecting them to forms requesting extensive personally identifiable information including full names, home addresses, email addresses, phone numbers, and complete credit card details.

The public impact of this campaign has been unprecedented, with the FBI’s Internet Crime Complaint Center receiving over 2,000 complaints in a single month related to similar toll-related smishing scams.

Multiple states, including New York, New Jersey, Pennsylvania, Florida, Texas, and California, issued official warnings through their Department of Transportation and DMV websites.

The story gained national attention across major media outlets including CBS News, Fox News, The New York Post, and Time Magazine, highlighting the campaign’s extensive reach and effectiveness.

The scale and coordination of this operation represent one of the most widespread smishing attacks targeting Americans in recent memory, prompting federal authorities to distribute threat intelligence bulletins and coordinate response efforts across law enforcement agencies, cybersecurity vendors, and telecommunications providers.

Infrastructure Analysis and Attribution

Technical examination of the phishing campaign reveals a highly structured operation with clear indicators pointing to Chinese threat actors.

The malicious websites followed a predictable domain pattern: https://[state_ID]dmv.gov-[4-letter-string].cfd/pay, utilizing low-cost top-level domains such as .cfd and .win that are easily registered and commonly abused by cybercriminals.

Analysis revealed that a significant portion of these domains were hosted on a known malicious IP address: 49.51.75.162, which contained six HTML files mapping to different states including Pennsylvania, Georgia, Texas, California, New Jersey, New York, and Florida.

The infrastructure analysis uncovered compelling evidence of centralized operations through shared DNS infrastructure.

All domains utilized identical name servers: alidns.com and dns8.alidns.com, with a consistent SOA contact address of [email protected], providing a strong attribution link to Chinese domain operations.

Furthermore, DOM analysis revealed that each phishing website included a static set of five files: two JavaScript files (C18UmYZN.js, fliceXIj.js), one CSS file (C0Zfn5GX.css), and two image assets (BHcjXi3x.gif, BkBiYrmZ.svg).

The consistent reuse of these assets across domains strongly suggests the use of a centralized phishing kit, with Chinese-language comments found in the source code further reinforcing attribution to Chinese-speaking threat actors.

This evidence aligns with known patterns of low-cost, high-volume phishing-as-a-service operations frequently advertised on Chinese-language cybercrime forums.

Power up early threat detection, escalation, and mitigation with ANY.RUN’s Threat Intelligence Lookup. Get 50 trial searches.