Saltmyhash

Smishing Triad campaign observed via SMS phishing with typical toll payment-themed lure.

Smishing URL: illinois.gov-xiv[.]cc/diot/
Domain Name: gov-xiv.cc
Registrar WHOIS Server: grs-whois.aliyun.com
Registrar URL: alibabacloud[.]com
Updated Date: 2026-01-15T12:52:19Z
Creation Date: 2026-01-15T12:52:19Z
Registrar Registration Expiration Date: 2027-01-15T12:52:19Z
Registrar: Dominet (HK) Limited
Registrar IANA ID: 3775
Registrant State/Province: MA
Registrant Country: US

https://urlscan.io/result/019bc36c-44b6-72a6-8b52-af8935ec1893/#summary

URLScan submission requires a mobile user-agent string to return the actual phishing page. In this instance, the page loads an IDOT-themed outstanding toll payment due of $6.99. Phishing ends with payment card theft.

Examining HTTP image requests, the page illinois.gov-xiv[.]cc/diot/ requests BHcjXi3x.gif which appears to be unique. The threat group appears to be reusing BHcjXi3x.gif across its phishing campaigns based on URLScan.io analysis of the resource hash 7515437df23c4af47700948c1650f0f9460da07e86a9447d33cfda1f36c91052. Sub-domain/SLD naming patterns include not just US/Canada toll payment, but US state comptroller refund status updates, USPS failed delivery notifications, and UK government fuel payment notifications. Majority of domains are hosted via US - AS132203 (TENCENT-NET-AP-CN Tencent Building, Kejizhongyi Avenue, CN).

illinois.gov-xiv[.]cc/diot/static/BHcjXi3x.gif
Requested by
Host: illinois.gov-xiv.cc
URL: illinois.gov-xiv[.]cc/diot/
Main IP: 43.153.98.107
Resource Hash: 7515437df23c4af47700948c1650f0f9460da07e86a9447d33cfda1f36c91052
Location: Santa Clara, United States
Owner: TENCENT-NET-AP-CN Tencent Building, Kejizhongyi Avenue, CN.
TLS certificate: Issued by R13 January 15th 2026
Valid for: 3 months.

Regular expression pattern to identify smishing triad domains:
.+\.((gov|mobile)-?[a-z]{2,}|pay.+|re(f|v)[a-z]{2,}|revenue-.+|t(e|a)?x.+|mdot-.+|.+safedriving((gov)?.+)?|com-(pay)?.+|(.+-)?gov-?[a-z]{2,}|dmv.+|uk-.+|gui-.+|packages-.+)\.(cc|city|men|bid|mom|icu|digital|vip|shop|life|xyz|cfd|cyou|xin|top|help|bond|win|info|my|works?|live|loan|wang|fyi|pro|date|email)(\/(rmv|diot|pay|mvc|us|tax|notice|refund|uk|portal))?

Google brought claims under the Racketeer Influenced and Corrupt Organizations, or RICO, Act, the Lanham Act, and the Computer Fraud and Abuse Act, or CFAA, and is seeking to dismantle Smishing Triad and the Lighthouse platform.

https://www.cnbc.com/2025/11/12/google-e-zpass-usps-text-scam-phishing-suit.html

https://www.resecurity.com/blog/article/smishing-triad-targeted-usps-and-us-citizens-for-data-theft

#phishing #smishing #smishingtriad #threatintel #CyberFraud

Jan 17 at 7:57pmWeb