Toll of Deception: Where Evasion Drives Phishing Forward

Group-IB analyzed an ongoing SMS phishing campaign impersonating a toll-road service provider that directs victims to convincing fraudulent sites to harvest personal and payment card data. The attackers use multi-layered redirection (including Google AMP), browser fingerprinting (FingerprintJS) and input-formatting/validation (Cleave.js) to restrict access to targeted victims, evade automated scanners and collect high-fidelity data; backend heartbeat and input-exfiltration endpoints capture session data every few seconds. Investigators uncovered linked domains via SOA records and demonstrated both active evasion and a trivial bypass (injecting a verified=true cookie) during analysis; recommendations include user education, domain monitoring, takedown, and threat intelligence/digital risk protection deployment.