In May 2025, a sophisticated phishing campaign emerged, impersonating several U.S. state Departments of Motor Vehicles (DMVs). This campaign leveraged widespread SMS phishing (smishing) and deceptive web infrastructure to harvest personal and financial data from unsuspecting citizens. Victims received alarming messages concerning unpaid toll violations and were directed to fake DMV websites that prompted them to resolve the issue by paying a nominal fine. These cloned websites requested extensive personal information and credit card credentials under the guise of verifying user identity.

Technical analysis of this campaign uncovered shared infrastructure, consistent domain naming conventions, reused frontend assets, and strong indicators pointing to a China-based threat actor. The widespread impact and impersonation of trusted state agencies underscore the urgency of awareness and proactive defense.

Attack Description

Delivery Vectors
Victims were primarily targeted via SMS messages sent from spoofed numbers, often appearing to be local DMV agencies. Many of these numbers were traced to origins in the Philippines, with the senders leveraging SMS spoofing techniques to enhance legitimacy. In some instances, attackers used email addresses from obscure domains. The content of these messages typically included threats of license suspension or legal penalties and encouraged victims to click a link to resolve a minor traffic-related fine. The scam messages often cited fictitious legal codes, such as “[State-Name] Administrative Code 15C-16.003” to appear more legitimate.

Phishing Website Behavior
Clicking the link directed users to a fake DMV landing page themed to match the victim’s state. The user would be greeted with messages indicating an outstanding financial penalty and urged to address the matter promptly. Victims were then prompted to pay a small fee, after which they were redirected to a form collecting PII including full name, home address, email address, phone number and full credit card information.

Infrastructure Analysis

Technical analysis revealed that the phishing campaign was highly structured. Most malicious websites followed the pattern:

https://[state_ID]dmv.gov-[4-letter-string].cfd/pay

While this attack appears to be vast, spreading over many IP addresses, with thousands of newly registered phishing domains, a significant portion of the domains were hosted on a known malicious IP address: 49.51.75[.]162.

A set of six HTML files linked to this IP mapped each file to a different state: Pennsylvania, Georgia, Texas, California, New Jersey, New York, and Florida. The cloned DMV pages used predictable TLDs such as [.cfd] and [.win], chosen for their low cost and ease of registration.

  • NJ: 288f3cb007f3ad99835a541b6be7e07f64aa7f7a56025518f02a1f0af41585b0
  • CA: 5df0fcc2b6b3d3e52fb635c0b7bac41d27b5b75cbfeb16c024d66a59657d5535
  • TX: 94126506523ebbf35ec9689f593d061453ab39395bf63098464dcbc270ee7f48
  • FL: 2f71a0956b7f073735dab092b0fb8e4c222538cf0a6bbdf7517a02ece6934157
  • GA: e88b894cc69c4f4ec5f6fdb2e7a0314601241571bf02154412c0168973fdc4df
  • PA: 5c7b246ec5b654c6ba0c86c89ba5cbaa61d68536efc32283da7694ed8e70b16d

Interestingly, also when investigating other phishing addresses, seemingly hosted on different unrelated IP address, they seem to be sharing the signature HTML files associated with the preempted phishing design.

  • Shared DNS Infrastructure
    All domains used the same name servers: alidns.com and dns8.alidns.com. Additionally, the SOA contact address for all domains was [email protected] — a strong attribution link to Chinese domain operations.
  • Web Asset Fingerprinting
    DOM analysis showed each phishing website included a static set of five files:

    • JavaScript: C18UmYZN.js, fliceXIj.js
    • CSS: C0Zfn5GX.css
    • Image Assets: BHcjXi3x.gif, BkBiYrmZ.svg (typically a state logo)

The reuse of these assets across domains strongly suggests a centralized phishing kit. A phishing kit is a pre-packaged set of tools, scripts, and website templates that allows attackers to quickly deploy fake login or payment pages mimicking legitimate services. These kits often include ready-to-use HTML/CSS files, JavaScript for data capture, and instructions for hosting, making it easy even for low-skilled threat actors to launch phishing campaigns at scale. Additionally, Chinese-language comments in the source code further reinforce attribution to a Chinese-speaking threat actor.

Threat Actor Attribution

Attribution is tentative but compelling. The use of Chinese SOA contacts, Chinese DNS providers, Chinese-language comments in source code, and uniform hosting behavior all point toward a threat actor operating out of China. The infrastructure aligns with known patterns of low-cost, high-volume phishing-as-a-service operations often advertised on Chinese-language cyber crime forums.

Using Cyberint’s TI tools, we were able to retrieve files associated with a known phishing kit called “Lighthouse”, that has been used in the past specifically against US-based DMVs, and compare them with behaviors and artifacts associated with the current attack.

Scope and Public Impact

The scale of this DMV phishing campaign is among the most widespread smishing attacks reported in the U.S. in recent memory. The coordinated impersonation of government agencies via state-branded phishing sites and mass-distributed SMS messages led to a multi-state impact. The story was covered in national media outlets such as CBS News, Fox News, The New York Post, and Time Magazine, amplifying public awareness and prompting urgent advisories from both federal and state authorities.

Multiple states—including New York, New Jersey, Pennsylvania, Florida, Texas, and California—issued official alerts through their Department of Transportation (DOT) or DMV websites and social media channels. These advisories urged residents to avoid clicking suspicious links, reminded them that toll violations are never handled via unsolicited text messages, and encouraged reporting through designated fraud hotlines.

The FBI’s Internet Crime Complaint Center (IC3) confirmed that it received over 2,000 complaints in a single month relating to similar toll-related smishing scams, a strong indicator of the campaign’s reach and effectiveness. Industry watchdogs estimate that many more incidents went unreported, particularly given the low transaction value ($6.99) and the high believability of the scam’s presentation.

In response, federal authorities began distributing threat intelligence bulletins to law enforcement and cyber security partners, outlining domain patterns, hosting IPs, and phishing kit artifacts. The campaign’s visibility has also sparked collaboration across cybersecurity vendors, public sector IT teams, and telecom providers to identify and neutralize active infrastructure, improve SMS filtering, and boost public education efforts.

Recommendations

For End Users

  • Never trust unsolicited messages requesting payment or personal data.
  • Visit DMV websites by typing their URL directly into the browser.
  • Report suspicious messages by forwarding them to 7726 (SPAM) and notifying the FTC at reportfraud.ftc.gov.

For Organizations and Agencies

  • Notify users via social media and official websites about ongoing scams.
  • Block high-abuse TLDs like [.cfd] and [.win] at the DNS level.
  • Implement DMARC, SPF, and DKIM to mitigate spoofed domain abuse.

For Threat Intelligence Teams

  • Implement all IoCs shared within this blog post in your firewall.
  • Share indicators of compromise (IOCs) via MISP or other threat sharing platforms.

You may also like