DMV-Themed Phishing Campaign Targeting U.S. Citizens

Description

A sophisticated phishing campaign impersonating U.S. state Departments of Motor Vehicles emerged in May 2025, using SMS phishing and deceptive websites to harvest personal and financial data. Victims received messages about unpaid toll violations, directing them to fake DMV sites requesting extensive information. Technical analysis revealed shared infrastructure, consistent domain naming, and indicators of a China-based threat actor. The campaign used spoofed SMS numbers, often from the Philippines, and email addresses from obscure domains. Phishing websites followed a pattern using state IDs and specific TLDs. Infrastructure analysis showed connections to known malicious IP addresses and Chinese DNS providers. The campaign's widespread impact prompted alerts from multiple states and federal authorities.