In May 2025, a sophisticated phishing campaign emerged, targeting U.S. citizens by impersonating state Department of Motor Vehicles (DMV) agencies. This large-scale operation combined SMS phishing techniques with deceptive web infrastructure to harvest personal and financial information from unsuspecting victims across multiple states.
Tactics Employed by Attackers
The attackers utilized alarming messages about unpaid toll violations, directing recipients to fraudulent DMV websites that prompted immediate payment of nominal fines to resolve fictitious legal issues. These SMS messages were sent from spoofed phone numbers, many traced to origins in the Philippines, with senders leveraging sophisticated spoofing techniques to enhance legitimacy.
Victims received threatening messages citing fabricated legal codes such as [State-Name] Administrative Code 15C-16.003 and warnings of license suspension or legal penalties if immediate action was not taken. These messages directed users to click malicious links leading to state-themed phishing websites designed to collect extensive personal information and credit card credentials under the guise of identity verification.
Infrastructure Analysis and Attribution
Technical analysis revealed a highly structured phishing operation utilizing shared infrastructure and consistent patterns across all malicious domains. The attackers employed a predictable domain structure following the pattern `https://[state_ID]dmv.gov-[4-letter-string].cfd/pay`, with most domains hosted on the malicious IP address 49.51.75.162.
Analysis uncovered six HTML files mapped to different states, each with unique hash signatures, including Pennsylvania (5c7b246ec5b654c6ba0c86c89ba5cbaa61d68536efc32) and California (5df0fcc2b6b3d3e52fb635c0b7bac41d27b5b75cbfeb1).
The campaign utilized uniform DNS infrastructure with all domains pointing to alidns.com and dns8.alidns.com name servers, while the SOA contact address consistently showed [email protected].
DOM analysis revealed each phishing website contained identical static assets, including JavaScript files (C18UmYZN.js, fliceXIj.js), CSS files (C0Zfn5GX.css), and image assets (BHcjXi3x.gif, BkBiYrmZ.svg). The reuse of these assets across domains strongly indicated the use of a centralized phishing kit known as Lighthouse, previously utilized against U.S. DMVs, with Chinese-language comments in source code reinforcing attribution to a China-based threat actor.
Impact and Response
The campaign’s primary attack vector involved SMS messages sent from spoofed phone numbers, many traced to origins in the Philippines, with senders leveraging sophisticated spoofing techniques to enhance legitimacy. Check Point researchers noted that the campaign demonstrated remarkable technical sophistication and scale, with the FBI’s Internet Crime Complaint Center receiving over 2,000 related complaints within a single month.
The operation’s widespread impact prompted official alerts from multiple states, including New York, New Jersey, Pennsylvania, Florida, Texas, and California, while national media outlets provided extensive coverage to raise public awareness.
Protecting Yourself from Phishing Attacks
To safeguard against such phishing attacks, individuals should be cautious with all communications they receive, even those that appear to be from a trusted source. Phishers may use real company logos to make their communications seem legitimate. Look for common signs of phishing like poor spelling or grammar, the use of threats, or a URL that does not match that of the legitimate website. Do not respond to unsolicited text messages or emails, click on links, download files, or open attachments from an unverified source. Do not give personal information over the phone or through text or email and or enter personal information in a pop-up screen.
Conclusion
The emergence of this sophisticated DMV-themed phishing campaign underscores the evolving tactics of cybercriminals and the importance of vigilance among U.S. citizens. By staying informed and cautious, individuals can protect themselves from falling victim to such deceptive schemes.
