Taxpayers, Drivers Targeted in Refund and Road Toll Smishing Scams

A flood of websites purport to give US residents (among others) information about possible tax refunds as an IRS tax extension deadline looms.

A threat actor group deployed at least 850 newly-registered domain names in September and early October to target people living in the US and elsewhere with phishing links that use tax refunds or road toll charges as a lure. 

Figure 1. A website designed for mobile browsers that appears to be run by the New York Department of Taxation and Finance (NYDTF).

The websites hosted on many of these domain names purport to provide the recipients with information about claiming back money from a government agency that is, unusually, not the Internal Revenue Service, the US federal government's income tax agency.  

Nearly all of the websites appear to be engineered to display in mobile browsers, from which one can reasonably infer infer that visitors typically arrive at the pages as a result of smishing attacks targeting the messaging apps in their mobile phones. Phishing pages did not load unless the User-Agent string sent to the phishing site as part of the request was one from a mobile browser. 

Figure 2. A website that purports to be the finance agency for the state of Texas.

For US taxpayers who file an extension to pay their taxes, normally due on April 15 each year, October 15 is the deadline to complete that process, which might explain the curious autumn timing for US tax-themed phishing attacks.   

When is a refund a phish? 

Figure 3. One of the sites with the logos from the US state of Massachusetts 

Visitors to any of the sites are presented with pages that direct the target to enter personal financial information into a form. The requested information varies from site to site, but typically includes the target's name, home address, telephone number and email address, as well as payment card details. 

The attackers employ a ruse in which the explanation for the request for information is that it is needed to process a refund, or reimbursement, of taxes ostensibly overpaid by the target. The page goes on to require a small charge to process on the target's payment card as "a test payment to verify your card."  

Figure 4. The ruse is that you are owed money, but need to permit a small charge to process on your credit or debit card in order to receive the promised refund. 

The phishing pages closely match the design and appearance of the impersonated government agencies' websites. 

Figure 5. A website that claims to be hosted by the city of Philadelphia uses the term "Florida Dept. of Revenue" in its title field. 

One aspect that sets the campaign apart is how much effort the threat actors have undertaken to customize the pages to specific locations they target. Surprisingly, they managed a nearly perfect track record of correctly naming each of the state or local government tax authorities referenced on the different pages.  

But they don't necessarily have a strong grasp of geography: The threat actor behind this campaign seems not to know that Philadelphia is roughly 900 miles north of the closest northern border of Florida, but crafted a page designed to look like the city of Philadelphia's website that had "Florida Dept. of Revenue" in the <title> tag of the page, so that text appears in the browser tab. 

A selection of websites that use the same lure, but branding that varies depending on the state the target resides in. Many of the pages target residents of specific US states by mimicking the logos, branding, and names of state tax authorities. In fact, in some cases, the logos are pulled into the imitation webpages from the official government websites, themselves, such as in this case where the UK government's banner logo was used in a phishing page. 

Figure 6. A network capture of a phish page reveals that the UK government's own logo was pulled from their website (gov.uk) into the fraudulent website (highlighted in blue) by the phishing page's cascading style sheet. 

Netcraft observed sites imitating agencies from Alabama, California, Connecticut, Delaware, Florida, Maryland, Massachusetts, Michigan, Minnesota, Montana, New Jersey, New York, Ohio, Texas, Tennessee, Washington, and Wisconsin.  

Figure 8. An example of a road toll page that presents itself as originating with the city of Los Angeles Department of Transportation (LADOT). 

In addition, some of the pages leverage the branding of local or regional government from specific cities or regions of the US, such as the cities of Los Angeles, Philadelphia, Seattle, and Columbus, Ohio, as well as Harris County, Texas (where Houston is located).  

Figure 9. A phishing site that claims it is from the Canadian province of Ontario's vehicle and driver's licensing agency, ServiceOntario. 

Outside the US, some of the scam websites target Canadian, British, German, and Spanish residents and visitors.

Figure 10. A phishing page purporting to be from the UK government, asking the visitor to provide payment card data in an application for a winter fuel subsidy. 

The websites targeting residents of the UK, for instance, ask targets to provide payment information so they can receive (what the scammers claim is) a subsidy of up to £300 to help offset winter fuel costs, cloning some language from a real program designed to help families. 

Figure 11. It is unclear why threat actors think the website for Germany's federal tax authority, the Bundeszentralamt für Steuern (or BZSt), would prominently feature a photo of a US IRS 1040 tax return form on a page that purports to offer Rückerstattungsdienste (refund services). 

Some of the websites mimic the appearance of the Bundeszentralamt für Steuern (or BZSt), Germany's federal tax authority, or the Dirección General del Tráfico (DGT), Spain's highway agency.  

Figure 12. One of the websites in the campaign appears to mimic Spain's national highway agency, with a note that tells the visitor "you have fewer than 24 hours to pay the [100 Euro] fine." 

Amusingly, the scammers use the same cropped image of a US federal tax form in the tax-scam websites targeting residents of the US states of Alabama, Minnesota, Tennessee, and also the country of Germany, whose tax authority does not typically use the IRS form 1040 shown in the image. 

Figure 13. A collage of screenshots from different websites, hosted on different URLs, that use the names and logos of different US states featuring the same text and image of a US IRS tax form, including a website with the same text inexplicably translated into German and bearing the logo of Germany's tax agency, the BNSt. 

WebSocket protocol used to exfiltrate  

An examination of the phishing site revealed that the attackers use a protocol called WebSocket to exfiltrate the data victims submit to the website. 

In sites where we studied the phishing technique, the phishing pages typically have two forms they ask targets to fill out. The first is a request for personal information: The target's name, street address, email address, and mobile phone number. When someone clicks the "Continue" button on that page, the browser initiates a WebSocket connection with the site, then transmits the data in a compressed format.

Figure 14. The page initiates a WebSocket connection whenever the victim enters data into the form submitted to the phishing site. 

The threat actor may not be using WebSocket out of kindness, to be mindful of the bandwidth they consume. The compression in a WebSocket connection obfuscates the content of the data being sent back to the phishing site, which may prevent some DLP tools from being able to identify sensitive information leaving the computer. 

The WebSocket connection for the sites that are part of this campaign always use the same URI path of /logger/?EIO=4&transport=websocket in its GET request. Netcraft has named this threat actor Logger EIO after this distinctive and consistent request string. 

Tax scammers also targeting drivers 

Drilling into the hosts where the fake tax refund sites were hosted revealed a parallel attack leveraging overdue toll road fees as a lure, mimicking the appearance of of road toll collection websites operating on behalf of state or local governments around the US, and in some cases, from countries around the world. Smishing campaigns using this topic as a lure have been observed since the beginning of 2025. 

Figure 15. One of the phishing pages purports to originate from SunPass, a toll authority that collects fees on behalf of 22 US states. 

In addition to specific state-operated toll road systems, the attacks also replicate the appearance of large, multi-state electronic toll pass systems, such as the E-Z Pass toll system that spans 20 US states, mostly in the northeast, and the SunPass road toll system that 22 southeastern US states participate in.  

Figure 16. A fake website that appears to be the city of Seattle, Washington charging you $6.99 for road travel. 

Most of the bogus toll pass sites claim that the recipient owes the authority a toll payment in the oddly specific amounts of either $6.69 or $6.99. While these are not impossible values for road tolls, this particular amount features prominently in road toll smishing messages that have been hounding US mobile phone users all year. 

Figure 17. One of the websites appears to target customers of EVRI, a logistics company based in the UK. 

The threat actors also targeted drivers in the Australian state of Victoria, and global customers of the freight and logistics companies DHL (Germany), EVRI (based in the UK), Post.NL (the Netherlands postal service), Swiss Post, and Purolator (based in Canada). The freight company phishing pages use "misdelivered packages" as a lure. 

Figure 18. A phishing site that uses the branding of Canadian shipping company Purolator. 

Netcraft has already worked with partners to shut down the domains associated with these attacks, but mobile phone users should be wary of text messages that purport to originate with state or local government agencies, especially when they claim you owe (or are owed) money. As of the publication of this blog, the Logger EIO attackers continue to register new domains to use in this ongoing campaign. 

Always use a computer, if possible, to visit the government agency website, rather than following a link from a text message. You can also install Netcraft's free mobile app to check whether a web link you receive on your phone is safe to visit.