Weaponized DMV-Themed Phishing Attacking U.S. Citizens to Harvest Personal and Financial Data

A sophisticated phishing campaign emerged in May 2025, targeting U.S. citizens through a coordinated impersonation of state Department of Motor Vehicles (DMV) agencies.

This large-scale operation utilized SMS phishing techniques combined with deceptive web infrastructure to harvest personal and financial information from unsuspecting victims across multiple states.

The attackers employed alarming messages about unpaid toll violations, directing recipients to fraudulent DMV websites that prompted immediate payment of nominal fines to resolve fictitious legal issues.

The campaign’s primary attack vector involved SMS messages sent from spoofed phone numbers, many traced to origins in the Philippines, with senders leveraging sophisticated spoofing techniques to enhance legitimacy.

Victims received threatening messages citing fabricated legal codes such as “[State-Name] Administrative Code 15C-16.003” and warnings of license suspension or legal penalties if immediate action was not taken.

These messages directed users to click malicious links leading to state-themed phishing websites designed to collect extensive personal information and credit card credentials under the guise of identity verification.

Check Point researchers noted that the campaign demonstrated remarkable technical sophistication and scale, with the FBI’s Internet Crime Complaint Center receiving over 2,000 related complaints within a single month.

The operation’s widespread impact prompted official alerts from multiple states including New York, New Jersey, Pennsylvania, Florida, Texas, and California, while national media outlets including CBS News, Fox News, The New York Post, and Time Magazine provided extensive coverage to raise public awareness.

Infrastructure Analysis and Attribution

Technical analysis revealed a highly structured phishing operation utilizing shared infrastructure and consistent patterns across all malicious domains.

The attackers employed a predictable domain structure following the pattern https://[state_ID]dmv.gov-[4-letter-string].cfd/pay, with most domains hosted on the malicious IP address 49.51.75.162.

Analysis uncovered six HTML files mapped to different states, each with unique hash signatures including Pennsylvania (5c7b246ec5b654c6ba0c86c89ba5cbaa61d68536efc32) and California (5df0fcc2b6b3d3e52fb635c0b7bac41d27b5b75cbfeb1).

The campaign utilized uniform DNS infrastructure with all domains pointing to alidns.com and dns8.alidns.com name servers, while the SOA contact address consistently showed [email protected].

DOM analysis revealed each phishing website contained identical static assets including JavaScript files (C18UmYZN.js, fliceXIj.js), CSS files (C0Zfn5GX.css), and image assets (BHcjXi3x.gif, BkBiYrmZ.svg).

The reuse of these assets across domains strongly indicated the use of a centralized phishing kit known as “Lighthouse,” previously utilized against U.S. DMVs, with Chinese-language comments in source code reinforcing attribution to a China-based threat actor.

Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free tria