In our previous blog post (Part One), we shone a spotlight on the rising wave of SMiShing campaigns leveraging suspicious top-level domains (TLDs) such as .xin, .top, and .win. We discussed how cybercriminals masquerade as toll providers or delivery services, luring victims with alarming messages that link to malicious websites. At ThreatSTOP, we have been monitoring these malicious campaigns and the actors behind them for some time, recognizing a broader eCrime group known as “Smishing Triad.”

Newly published reports from Silent Push and our friends at Cisco Talos confirm and expand upon many of our own observations, including the group’s massive infrastructure and sophisticated phishing kits. The recent findings underscore the global footprint of Smishing Triad’s smishing tactics, targeting everything from postal services and tolls to major financial institutions, while also revealing a new range of advanced features in their phishing kits.

 

 

The Growing Reach of Smishing Triad

We’ve long known that the group referred to as Smishing Triad has been operating on a massive scale, rotating thousands of malicious domains and spoofing major brands worldwide. Silent Push’s latest research amplifies this point:

121+ Countries: Smishing Triad systematically targets postal, logistics, financial, and government organizations, using SMS messages that appear urgently legitimate.

Tens of Thousands of Domains: The group’s malicious domains are constantly refreshed, mirroring well-known toll authorities or mail services (e.g., “E-ZPass,” “USPS,” “FedEx”) and tricking recipients into revealing personal and financial details.

Likewise, Cisco Talos zeroed in on U.S.-based toll road scams. The threat actors send “unpaid toll” alerts, often using .xin or .top after what looks like a legitimate .com domain. While the Talos research focuses on toll road scams in states like Washington, Florida, and Texas, it resonates with the extensive domain rotation and brand impersonation that we at ThreatSTOP have been tracking for quite some time.

Shifting to New TLDs

We’ve also observed Smishing Triad pivoting to additional TLDs such as .world, .sbs, .win, .cfd, .tools, .work, .info, and .fit to keep their campaigns fresh and evade basic filtering. ThreatSTOP actively tracks these shifts, and we are currently shipping these newly identified malicious domains in our “TS Originated – Phishing – Domains” Target. This ensures that customers using ThreatSTOP Protective DNS are automatically blocking connections to these emerging threats.

 

 

The “Lighthouse” Phishing Kit

We’ve previously noted how threat actors continually refine their phishing toolkits. Both Silent Push and Talos highlight a kit called “Lighthouse,” developed by a seller known as “Wang Duo Yu.” Our ThreatSTOP team has also examined variations of these smishing kits, which include:

Mobile-Optimized Webpages: Fake sites for payment, account verification, and personal data harvest.

Real-Time Sync: Credentials and payment info are captured in real time, sent directly to the malicious backend.

Multi-Factor Mimicry: Phishing pages that imitate one-time passcodes (OTP) and 2FA procedures, even prompting victims to scan QR codes.

Lighthouse’s modular design—reported by Silent Push and confirmed by our own threat intelligence—lets affiliates target nearly any service or industry with minimal technical skill. This means the group can quickly spin up new phishing templates for tolls, postal services, or banks.

 

 

ThreatSTOP’s Proactive Protection

As we noted in Part One of our blog series, these attacks rely on you (or your users) clicking on the wrong link at the wrong time. But having robust, proactive protection in place can break the chain:

1. Protective DNS

DNS Defense Cloud: ThreatSTOP routes DNS queries through our cloud-based service, proactively blocking attempts to access malicious sites, no matter the TLD or how realistic the domain appears.

DNS Defense: Integrates our continuously updated intelligence directly into a customer’s on-premises DNS servers, preventing connections to high-risk domains before they can cause harm.

 

2. IP Defense

Real-Time IP Blocklists: Manage IP-based blocking on firewalls, routers, IPS, AWS WAF, and more. ThreatSTOP’s Security, Intelligence, and Research Team regularly updates these lists with indicators for malicious command-and-control (C2), data exfiltration endpoints, and known phishing domains, including those operated by Smishing Triad.

Our team has been watching these malicious domains and related infrastructure evolve for quite a while. The second we confirm new indicators, our solutions can proactively disrupt malicious traffic. By the time Smishing Triad tries to push a new wave of phishing kits, our Protective DNS and IP Defense data sources are already primed to keep your network safe.

 

For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers! Get started with a Demo today!

 

Connect with Customers, Disconnect from Risks

 

 

MITRE ATT&CK Matrix

Tactic

Technique

Description

Application to Smishing Triad

Reconnaissance

T1592.001 - Gather Victim Org Info

Attackers gather phone numbers, region-specific data, or brand details to create convincing smishing messages.

Smishing Triad uses local toll branding and phone number lists to appear credible in targeted regions.

Resource Development

T1587.001 - Develop Capabilities

Building or acquiring tools/infrastructure needed for attacks.

The “Lighthouse” kit is developed and sold, enabling affiliates to conduct large-scale smishing easily.

Initial Access

T1566.001 - Spearphishing via SMS

Sending deceptive text messages to trick victims into clicking malicious links.

Victims receive toll or package SMS alerts with carefully disguised domains (.xin, .top, etc.).

Credential Access

T1110.003 - Credential Stuffing

Harvesting or stealing credentials for later fraud or account takeover.

Payment details, PIN codes, and credentials are collected via malicious payment forms.

Command and Control

T1071.001 - Web Protocols

Using common web protocols for malicious traffic.

The phishing kit transmits stolen user data over standard web protocols, blending in with normal traffic.

Exfiltration

T1041 - Exfiltration Over C2 Channel

Stealing sensitive information by sending it to attacker-controlled servers.

Data is quickly uploaded to Smishing Triad’s infrastructure, allowing them to monetize stolen information.

Impact (Fraud/Financial Theft)

T1498 - Network Denial of Service

While not specifically DDoS, these campaigns cause financial and reputational harm.

Victims face financial losses and toll agencies suffer brand damage due to impersonation.

By mapping these malicious activities to the MITRE ATT&CK framework, organizations gain clearer insight into how Smishing Triad operates, and how to implement the right proactive measures to stop them.

 

IOCs observed today:

iowatollq[.]top
com-tollbilltew[.]world
angkorgttollc[.]biz
paytolloj[.]world
angkorgttollc[.]xyz
com-tollbillkf[.]top
com-tollbilltep[.]world
com-tollbillteu[.]world
com-tollbilltei[.]world
com-tollbillter[.]world
iowatollb[.]top
iowatollf[.]top
iowatolld[.]top
iowatoll[.]top
com-tollbilltax[.]world
com-tollbilltaw[.]world
com-tollbilltar[.]world
com-tollbilloa[.]world
com-tollbilltaf[.]world
com-tollbillisg[.]world
com-tollbilltak[.]world
com-tollbillisw[.]world
com-tollbillise[.]world
iowaeah[.]top
iowasrv[.]top
iowatollb[.]top
iowatollf[.]top
iowatolld[.]top
iowatoll[.]top
iowavyh[.]top
iowagvt[.]top
iowagyu[.]top
iowasgmw[.]top
iowaesp[.]top
iowavtwy[.]top
iowadie[.]top
iowasji[.]top
iowawko[.]top
iowatollq[.]top
iowadup[.]top
iowaois[.]top
iowaewt[.]top
iowavtr[.]top
iowaudh[.]top
iowacta[.]top
iowaywg[.]top
iowavch[.]top
iowacyu[.]top