Weaponized DMV-Themed Phishing Scam Targets U.S. Citizens to Steal Personal and Financial Data

A highly coordinated phishing campaign impersonating various U.S. state Departments of Motor Vehicles (DMVs) has emerged as a significant threat, targeting citizens across multiple states with the intent to harvest personal and financial data.

This sophisticated operation employs SMS phishing, commonly known as smishing, by sending alarming text messages from spoofed numbers that often appear to originate from local DMV agencies.

These messages typically warn of unpaid toll violations or threats of license suspension, citing fictitious legal codes to bolster credibility, and urge victims to click on malicious links to resolve fabricated fines.

Technical analysis has revealed that many of these spoofed numbers trace back to origins in the Philippines, showcasing the attackers’ adept use of SMS spoofing techniques to enhance the scam’s legitimacy.

Infrastructure Reveals China-Based Threat Actor

Upon clicking the links, victims are directed to meticulously crafted fake DMV websites tailored to match their state’s branding, such as those for Pennsylvania, Georgia, Texas, California, New Jersey, New York, and Florida.

According to Check Point research Report, these phishing pages, often hosted on domains following the pattern https://[state_ID]dmv.gov-[4-letter-string].cfd/pay, prompt users to pay nominal fees (around $6.99) and submit extensive personally identifiable information (PII), including full names, addresses, and credit card details.

A deeper dive into the campaign’s infrastructure uncovered a centralized phishing kit named “Lighthouse,” previously linked to similar DMV-targeted attacks.

The malicious domains, predominantly using low-cost TLDs like [.cfd] and [.win], are tied to a known malicious IP address (49.51.75.162) and share identical DNS infrastructure with name servers from alidns.com and SOA contacts linked to Chinese domain operations ([email protected]).

Additionally, the reuse of frontend assets such as specific JavaScript, CSS, and image files along with Chinese-language comments in the source code, strongly points to a China-based threat actor, likely operating within a phishing-as-a-service model commonly advertised on Chinese cybercrime forums.

Widespread Impact

The scale of this smishing campaign marks it as one of the most extensive of its kind in recent U.S. history, affecting thousands of citizens and drawing significant media attention from outlets like CBS News, Fox News, and Time Magazine.

States including New York, New Jersey, and Texas have issued public alerts, while the FBI’s Internet Crime Complaint Center (IC3) reported over 2,000 related complaints in a single month.

Federal and industry efforts are now focused on neutralizing active infrastructure, sharing indicators of compromise (IOCs), and enhancing public awareness.

End users are advised to avoid unsolicited payment requests and report suspicious texts to 7726 (SPAM) or the FTC, while organizations should block high-abuse TLDs and implement email authentication protocols like DMARC.

Threat intelligence teams are encouraged to integrate shared IOCs into firewalls and collaborate via platforms like MISP to curb this pervasive threat.

The campaign’s believability and low transaction value underscore the critical need for vigilance and proactive cybersecurity measures.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates