NetcraftOct 16, 2025
Andrew ๐ŸŒป Brandt ๐Ÿ‡

Happy Thursday! I'm celebrating the publication of my first blog post at @Netcraft as Principal Threat Researcher with a story about...#smishing for tax refunds.

Since the beginning of last month, a threat actor we're calling #LoggerEIO began registering domains for use in #phishing attacks.

They're now up to more than 850 domains registered, with thousands of websites in use (using a variety of subdomains) that dangle the prospect of a refund of state income tax overpayments as a lure.

Here's a quick ๐Ÿงต about it.

https://www.netcraft.com/blog/taxpayers-drivers-targeted-in-refund-and-road-toll-smishing-scams

#ThreatResearch #NetcraftConfirmsIt #Netcraft

Tax Refund & Road Toll Smishing Scams Surge Ahead of IRS Deadline

Threat actors deployed over 850 fake tax and toll websites to steal personal and financial data from U.S. and international victims. Netcraft uncovers the latest smishing campaign targeting taxpayers and drivers ahead of the October 15 IRS extension deadline.

Oct 16, 2025 at 5:16pmWeb
Show threadAndrew ๐ŸŒป Brandt ๐Ÿ‡Oct 16, 2025

First of all, this seems to be part of a much wider #smishing campaign that people are more familiar with: Fake road toll collection #scams

These have been a nuisance all year, and some of the sites hosting the same #phishing kit appear to be using that same ruse, simultaneously with the new one.

Did you get a message telling you that you owe $6.99 (or $6.69 - nice) in tolls? Probably part of this larger network of scammers.

Note how they have expanded to a variety of different locales: the City of Los Angeles, Seattle, Columbus (Ohio), and even the Canadian province of Ontario are all reflected, as well as the E-ZPass and SunPass multi-state toll payment systems, which together cover most of the US states that operate toll roads.

/2

#phishing #fraud #roadtoll #tollscams #netcraft #NetcraftConfirmsIt #EZPass #SunPass

Show threadAndrew ๐ŸŒป Brandt ๐Ÿ‡Oct 16, 2025

In this #scam, the #smishing message informs you that you are owed a reimbursement or refund on overpaid state taxes. The #LoggerEIO group seems to have latched on to the idea of using individual states as the lure, rather than the federal #IRS, which is an interesting choice.

In the pages I looked at, the following states were represented with custom #phishing pages that use the same stylesheet, color scheme, and logos of the state tax agency they're impersonating.

Targeted states include Alabama, California, Connecticut, Delaware, Florida, Maryland, Massachusetts, Michigan, Minnesota, Montana, New Jersey, New York, Ohio, Texas, Tennessee, Washington, and Wisconsin.

/3

#smishing #netcraft #NetcraftConfirmsIt #taxrefund #taxrefundscam

Show threadAndrew ๐ŸŒป Brandt ๐Ÿ‡Oct 16, 2025

Having recently returned from a trip to #Germany, where I spoke at #VirusBulletin, I have become more familiar with the appearance of some German government operated websites.

The Bundeszentralamt fรผr Steuern (or BZSt), Germany's federal tax authority, is also represented in these #TaxScam #phishing pages.

Bizarrely, #LoggerEIO have decided to clone the template of one of the US-themed versions of the #smishing page which prominently features a banner image of a US form #1040 #tax return, and the corner of a $20 bill, neither of which (I suspect) the #BZSt use for tax filing in that country.

Whoopsie! Or, as my German friends might say, Hoppla!

/4

#smishing #phishing #netcraft #NetcraftConfirmsIt #Oops

Show threadAndrew ๐ŸŒป Brandt ๐Ÿ‡Oct 16, 2025

Germany was not the only non-US country represented in the #LoggerEIO #smishing attack (so far).

There was one version of a page claiming to be the Spanish highway authority, Direcciรณn General del Trรกfico (DGT), that warns you owe a 100 Euro fine (multa) for some kind of driving infraction you committed, that must be paid within 24 hours.

More recently, I spotted a flood of pages that claim to be from the UK government's Winter Fuel Payment program. The real program helps impoverished people not freeze to death in winter by subsidizing the high cost of heating. But this page simply wants your credit card to "test" charge your card for ยฃ1 on the promise that you'll get up to ยฃ300.

/5

#smishing #phishing #roadtoll #HighwayRobbery #WinterFuelPayment #UK #spain #espana #Netcraft #NetcraftConfirmsIt #NetcraftResearch #Germany

Show threadAndrew ๐ŸŒป Brandt ๐Ÿ‡Oct 16, 2025

And I just wanted to give a quick shoutout to our engineering team for noticing this bizarre trick that all of the #phishing pages do that we connect to this #LoggerEIO group.

The phishing kit in use has several pages that the victims are expected to click through. As one enters information onto the first page, then clicks a Continue button, the browser initiates a WebSocket connection with the server, and transmits the data inside of that WebSocket connection.

It isn't exactly encryption, but more obfuscation: The compression, while reversible, does have the effect of obfuscating the content of the exfiltrated data. That little bit of effort might prevent a Data Loss Prevention (DLP) tool from recognizing outbound sensitive data before it's too late.

And the reason we call them #LoggerEIO is because all of the sites that Netcraft connects to this campaign do this on the same URI string: The page makes a connection to the path /logger/?EIO=4&transport=websocket in its GET request - only when the victim sends the data.

/6

#smishing #phishing #NetcraftConfirmsIt #Netcraft #threatresearch #WebSocket

Show threadAndrew ๐ŸŒป Brandt ๐Ÿ‡Oct 16, 2025

Next week, I'm speaking at #Saintcon about #phishing, #smishing, #quishing (all the -ishings) and propose a broad-based possible solution that could end this problem forever. Nothing big.

If you're going to be there, you can find me in Track 2 at 2:30pm, or most of the rest of the time at the @SAINTCON @malwarevillage Community, where we will be hosting two of our contests (MARC I and BOMBE) and encouraging people to consider the field of malware analysis and threat research as a career.

We also will have minibadges, both at #MalwareVillage and at the #Netcraft booth. If you're a #minibadge fan/collector, you aren't going to want to miss out on the Netcraft minibadge, which is awesome. Just drop by the booth to get a kit to build one. Tell them Spike sent ya.

Until then, stay safe, and please tell everyone you know, don't click links to tax refunds or toll road fees you get on your phone.

/END

https://www.netcraft.com/blog/taxpayers-drivers-targeted-in-refund-and-road-toll-smishing-scams

Tax Refund & Road Toll Smishing Scams Surge Ahead of IRS Deadline

Threat actors deployed over 850 fake tax and toll websites to steal personal and financial data from U.S. and international victims. Netcraft uncovers the latest smishing campaign targeting taxpayers and drivers ahead of the October 15 IRS extension deadline.