Toll Scams Are What's Happen.xin Right Now

Have you ever received an odd text message on your phone, purporting to be from a toll provider or package delivery service? If you have a U.S. cell phone, chances are you’ve encountered one of these SMiShing attempts—cybercriminals’ latest ploy to trick you into giving up your personal and financial details. SMiShing (a portmanteau of SMS and phishing) relies on victims clicking deceptive links that appear legitimate but actually lead to malicious websites.

In one recently observed scam, users received text messages about unpaid toll fees with a link that seemed to be connected to a well-known site, such as e-zpass.com. Closer inspection, however, revealed the URL actually belonged to something like e-zpass.com-emzwsefybawjadl[.]xin, a completely different top level domain (.xin) rather than a more legitimate .com. The .xin TLD was initially introduced as a “trust-centric” top-level domain, but in practice, many .xin domains are being used for criminal activities. ThreatSTOP found more than 7,000 suspicious .xin domains designed to mimic toll service providers like E-ZPass and FasTrak, among others, amongst the 43,000+ domains active in the TLD.

You may have not heard of .xin until recently. According to ICANN wiki:

"The intention of Elegant Leader Limited (“Elegant”) in filing this gTLD application is to establish a trusted and reliable namespace in China and in the world. This offers an opportunity for large companies, SMEs, and individuals that are willing to demonstrate themselves as a trusted and reliable entity on the Internet. To fulfill this mission, Elegant expects to align with top-notch registry operator, Afilias Ltd., experienced ICANN accredited registrar, HiChina Zhicheng Technology Ltd., relevant verification and validation agents, and other reputable 3rd-party service providers and neutral associations, to join force and to build a trust-centric .XIN gTLD.

Unlike existing TLDs which may have legacy rules that make some of the registrants data unverified, .XIN aims to verify and validate registrant information at the very beginning of the launch of the TLD, and will do so at an on-going basis. By doing so, .XIN gTLD can strengthen the Internet marketplace in China and in the world with elevated level of trust and reliability for both registrants and users.

But .xin is far from the only culprit. These malicious campaigns also exploit TLDs such as .top, .vip, .win, .cc, and others, often impersonating known brands and entities like USPS, FedEx, or local transportation authorities. (e.g., fedex.com-gsjb[.]xin, usps-verification[.]xin, usps.com.tools-packagmur[.]xin or mndot-etzwau.xin).

How SMiShing Tricks You

1. Deceptive Sender: Attackers pose as official entities, such as toll agencies or delivery services.
2. Fake Links: Cybercriminals craft URLs that look similar to legitimate web addresses. They insert extra segments—something.com-somethingelse.tld—making it appear to be a familiar .com site when it’s actually a completely different domain. In fact the best advice - one that would have saved Troy Hunt of "HaveIBeenPwned" from being PWNed - is to never ever visit the link in the SMS or email but go to the website manually and then find the link to where to transact whatever business you are supposed to transact.
3. Urgency: The message typically uses alarming or urgent language—claims of missed toll fees, missed package deliveries, or even account breaches—to prompt a quick response.
4. Credential Harvesting: Unwary users who click the link and proceed to enter personal information or credit card data end up handing this valuable information directly to criminals.
   

Proactive Ways to Stay Protected

The best defense against SMiShing is caution:

• Examine the Link: If you see a suspicious domain like .xin, .top, or .win after what appears to be a trusted name, it’s a red flag.
• Go Direct: Never click on a link in an unsolicited message. Instead, manually visit the legitimate company’s official site.
• Enable Protective DNS: If you accidentally click a malicious link while tired, in a hurry, or simply unaware, having proactive DNS protection can stop you from reaching harmful domains.

ThreatSTOP’s Proactive Protections

ThreatSTOP’s solutions are designed to help organizations and individuals connect with customers, disconnect from risks. Our ThreatSTOP Security, Intelligence, and Research team continuously creates threat protections for command and control, invalid traffic, peer-to-peer communication, data exfiltration, phishing, spam, Distributed Denial of Service (DDoS), and more.

Protective DNS
• Cloud: Experience continuous, cloud-based DNS protection without the hassle of deploying or managing your own DNS infrastructure. By redirecting your DNS queries through our intelligence-backed servers, you gain proactive blocking of known malicious domains—like those found in SMiShing attempts—before they can cause any damage.

• On-Prem: For those running their own DNS infrastructure on-premises, ThreatSTOP’s DNS Defense seamlessly integrates with your existing DNS servers. Our threat intelligence feed ensures your network proactively blocks suspicious domains, helping stop SMiShing attacks in their tracks.

Whether it’s a phishing domain from a lesser-known gTLD or a bulletproof hosting service hidden in plain sight, ThreatSTOP’s integrated platform helps keep your environment safe from evolving threats.

Take the Next Step to Strengthen Your Security

For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers! Get started with a Demo today!

Connect with Customers, Disconnect from Risks

*While there isn’t a single specific MITRE technique ID that covers “user submission of credentials via fake web forms,” this tactic often involves social engineering under Phishing (T1566) and potentially can lead to other credential harvesting methods once the user information is obtained.

By understanding these techniques and employing proactive protections, organizations and individuals can better defend themselves against SMiShing threats and their evolving tactics.