In a recent and alarming development, cybercriminals have orchestrated a sophisticated phishing campaign by compromising Indiana government email accounts to distribute fraudulent messages related to TxTag toll collections. This operation leverages the GovDelivery communications platform, a widely used service for government communications, to lend an air of legitimacy to the scam emails targeting unsuspecting recipients nationwide.
The Anatomy of the Phishing Attack
The fraudulent emails appear to originate from legitimate Indiana government addresses, such as [email protected]. These messages inform recipients of fictitious unpaid toll charges, urging them to settle these balances promptly to avoid penalties. The attackers have registered look-alike domains that host convincing replicas of the TxTag payment portal, designed specifically to harvest sensitive personal and financial information from victims.
Technical analysis by cybersecurity experts has revealed that these phishing websites employ sophisticated data exfiltration methods. The sites collect victim information through POST requests to endpoints like https://txtag-us.xyz/api/client/ and maintain persistent WebSocket connections (wss://txtag-us.xyz/sync-message). This setup enables real-time session monitoring, allowing attackers to track victim interactions with the phishing site and potentially bypass security measures.
Exploitation of Government Email Infrastructure
The Indiana Office of Technology (IOT) has confirmed that this phishing campaign stems from a security breach involving a former government contractor. Although the state’s contract with GovDelivery ended on December 31, 2024, the associated account remained active. This oversight provided an attack vector for malicious actors who compromised the contractor’s credentials, gaining access to GovDelivery’s email distribution capabilities that reach millions of subscribers.
Indiana Secretary of State Diego Morales issued an urgent warning on May 13, 2025, stating, These scams are dangerous, deceptive, and disruptive. I want to remind all Hoosiers to be cautious before opening emails and clicking on any unsolicited links, especially those that request personal information or direct you to unfamiliar websites. Your security is our top priority.
The IOT emphasized that legitimate government agencies do not send toll notifications via email or text. Similar warnings have been issued in other states, with the Illinois Tollway confirming they DO NOT use non-tollway entities – third-party websites – to collect or modify customer account information.
Protective Measures for the Public
To safeguard against such phishing attacks, security experts recommend the following measures:
– Exercise Caution with Emails: Avoid clicking on any links or opening attachments in unsolicited or suspicious emails.
– Report Suspicious Communications: Forward suspicious messages to the appropriate authorities. For instance, Illinois residents can report to [email protected].
– Monitor Financial Accounts: If you have entered payment information on a suspicious site, contact your credit card provider immediately to report potential fraud.
– Verify Through Official Channels: Confirm any toll charges directly through official websites, such as TxTag.org, or by contacting official customer service numbers like 1-888-468-9824.
The Broader Context of Toll-Related Phishing Scams
This incident is part of a larger trend of toll-related phishing scams targeting drivers across the United States. In April 2024, the FBI warned about a new type of smishing scam—phishing attacks conducted via SMS—where scammers send text messages claiming recipients owe small amounts in toll fees. These messages often include threats of late fees or suspension of driving privileges to prompt immediate action.
For example, a typical scam text might read:
PA Turnpike Toll Services: We’ve noticed an outstanding toll amount of $12.51 on your record. To avoid a late fee of $50.00, visit [URL to fake site] to settle your balance.
These messages often include links to fraudulent websites that closely mimic official toll service portals. Once victims enter their personal and financial information, scammers can commit identity theft or financial fraud.
The Role of International Cybercriminals
Research indicates that some of these phishing campaigns are orchestrated by international cybercriminal groups. For instance, a China-based cybercriminal group known for selling sophisticated SMS phishing kits has been linked to a surge in toll-related phishing attacks. These kits include features that closely mimic toll operator websites as they appear on mobile devices, making the scams more convincing.
According to cybersecurity firm Palo Alto Networks, a threat actor has registered over 10,000 domains for these scams, impersonating toll services and package delivery services in at least 10 U.S. states and the Canadian province of Ontario.
The Importance of Vigilance
The exploitation of government communication systems for phishing campaigns underscores the need for heightened vigilance among the public. As cybercriminals continue to develop more sophisticated methods to deceive individuals, it is crucial to stay informed about potential threats and adopt proactive measures to protect personal and financial information.
By understanding the tactics used in these scams and following recommended protective measures, individuals can reduce their risk of falling victim to such fraudulent schemes.
