Introduction
A few weeks ago, I started getting messages from friends and family:
“Why is E-ZPass texting me from a UK number?”
“Hey, is this legit?”
“Did I forget to pay a toll?”
At first glance, it was just another run-of-the-mill SMS phishing scam—fake toll payment alerts designed to steal credit card details. But as I started collecting the messages, something caught my eye.
- The scam wasn’t limited to E-ZPass—I saw fake alerts for SunPass, TxTag, Peach Pass, and even generic toll roads.
- Most of the messages came through iMessage, not regular SMS.
- The sender numbers? +44 (UK) and +63 (Philippines) are both known for cheap, disposable SIMs used in fraud campaigns.
Turns out, this wasn’t just a handful of texts—it was part of a massive, ongoing scam affecting thousands of drivers across the U.S..
In fact, the FBI’s Internet Crime Complaint Center (IC3) has received over 2,000 complaints across multiple states about fraudulent toll payment texts. The FTC recently issued a warning about these scams, noting that victims are tricked into entering payment details on fake toll websites. Even the Pennsylvania Turnpike Commission and TxTag have had to put out public alerts warning drivers to be cautious
That got me curious. How big was this campaign? Where was it being hosted? Could I track it?
So, I did what any researcher would—I fired up Censys and started digging.
Breaking Down the Scam
The structure of these phishing texts was simple but effective. Most messages followed the same formula:
🚨 “Final notice: Your unpaid toll balance is due. Pay now to avoid late fees.” 🚨
Then, of course, there’s a link. Something that looks official, like:
- e-zpass-payment[.]com/i
- sunpass-verification[.]top/us
- vdot-paytoll[.]world/pay
But here’s the thing—none of these were real. They were phishing domains set up to steal payment info.
And the more I looked, the more I realized these weren’t random one-off domains. There was a pattern.
Part of what makes this scam work is the inconsistency in real toll collection domains. Unlike banks or government websites, toll services don’t follow a standardized naming convention, leaving plenty of room for confusion. Some real toll websites use domains like:
- www.e-zpassny.com
- e-zpass.com
- txtag.org
- mypeachpass.com
- getipass.com
There’s no single pattern, which makes it easier for scammers to create convincing fake domains. If you’re in a rush and get a text from something like “ezpass-payment[.]com“, it looks close enough that you might not think twice before clicking.
Patterns in the Attacks
Analysis of the collected messages revealed that:
- Most were targeted based on phone area codes, suggesting that attackers are tailoring SMS phishing attempts to local users.
- The majority arrived via iMessage, though some came through SMS.
- Many messages originated from +44 (UK) and +63 (Philippines) numbers, likely because these are cheap SIMs often used in SMS phishing operations.
Finding the Pattern
I started analyzing the URLs and noticed they all followed a similar structure. So, I built a regular expression (regex) to match them:
.*(e?-?z(pass|drive(ma)?|ride)|(mypeach|sun|geti)pass|(the|pay)toll(road)?|fastrak|txtag|ohioturnpike|vdot|a30express).{2,}(\.(org|com)-.*)?\.(win|xin|xyz|cc|cfd|cyou|top|vip|shop|world|fun|life)$
Then, I took that regex and ran a Censys Platform query to track down domains and IPs serving these phishing sites.
web.hostname=~".*(e?-?zpass|ezdrive|ezride|fastrak|txtag|ohioturnpike|ezdrivema|vdot|(mypeach|sun|geti)pass|a30express|thetollroad|paytoll).{2,}(\\.(org|com)-.*)?\\.(win|xin|top|vip|shop|world|xyz|cc|cfd|cyou|fun|life)$" and web.software.product: "nginx"
The results? 27k matches. This was way bigger than I expected.
Here are just a few examples:
ohioturnpike.org-ticketac.cfd
ezpassva.com-ticketeapu.xin
sunpass.com-etc-ydjg.top
paytollajx.xin
www.vdot.virginia.tollway-va.world
These weren’t just one-off domains but part of a massive infrastructure designed to steal money from unsuspecting drivers.
Peeling Back the Infrastructure
Once I had a list of phishing domains, the next step was figuring out where they were hosted. To do that, I reformatted my query to search for the underlying web server/host.
host.dns.names=~".*(e?-?zpass|ezdrive|ezride|fastrak|txtag|ohioturnpike|ezdrivema|vdot|(mypeach|sun|geti)pass|a30express|thetollroad|paytoll).{2,}(\\.(org|com)-.*)?\\.(win|xin|top|vip|shop|world|xyz|cc|cfd|cyou|fun|life)$" and host.services.software.product: "nginx"
This returned 450 IPs with these DNS resolutions, each one was responsible for 40-90 domains a piece.
Web Servers
Turns out that nearly all of them were running nginx, and there was something interesting about the version numbers:
- On March 5th, most servers were using nginx 1.27.3.
- By March 6th, some had been manually updated to nginx 1.27.4.
- A handful were still running nginx 1.26.0.
That suggests the people running this scam aren’t using an automated deployment process. They’re updating their infrastructure manually.
Hosting Locations
Switching up my Censys query to look at IPs, I started mapping out where these sites were hosted.
And here’s where things got even weirder:
- Most domains resolve to servers in the U.S., Singapore, and Japan.
- But, almost all of them were hosted on Chinese ASNs, specifically Tencent and Alibaba Cloud.
So, while the phishing sites seemed geographically spread out, the actual infrastructure was clustered in Chinese hosting providers.
To narrow things down, I filtered out Tencent and Alibaba and was left with 15 unique hosts that stood out.
Chasing Down the Stragglers
Most of the remaining hosts were clear matches for the phishing pattern.
But one stood out.
It was running on Google Cloud (GCP), and while the domain structure matched the phishing sites, the services running on it were… different.
After some digging, I found out it belonged to a legitimate Canadian bike company.
So, I excluded it from my dataset and refined my query one last time:
(host.dns.names=~".*(e?-?zpass|ezdrive|ezride|fastrak|txtag|ohioturnpike|ezdrivema|vdot|(mypeach|sun|geti)pass|a30express|thetollroad|paytoll).{2,}(\\.(org|com)-.*)?\\.(win|xin|top|vip|shop|world|xyz|cc|cfd|cyou|fun|life)$" and host.services.software.product: "nginx" and not host.dns.names: "ezriders.xyz") or (web.hostname=~".*(e?-?zpass|ezdrive|ezride|fastrak|txtag|ohioturnpike|ezdrivema|vdot|(mypeach|sun|geti)pass|a30express|thetollroad|paytoll).{2,}(\\.(org|com)-.*)?\\.(win|xin|top|vip|shop|world|xyz|cc|cfd|cyou|fun|life)$" and web.software.product: "nginx" and not web.hostname: "ezriders.xyz")
Final Thoughts
What started as a few random texts turned into a full-blown investigation into a massive phishing network.
Here’s what we learned:
- This SMS phishing campaign is way bigger than just E-ZPass. It’s targeting toll systems across multiple states.
- It uses cheap foreign SIM cards to send messages via iMessage and SMS.
- The infrastructure is largely hosted on Tencent and Alibaba Cloud.
- Phishing sites are running nginx, and they’re manually updating versions.
This campaign isn’t going away anytime soon. The attackers are constantly shifting infrastructure, updating their servers, and tweaking their tactics to keep the scam alive.
If you get one of these texts, don’t click the link, don’t enter any personal info, and definitely don’t pay. Instead, report it, delete it, and if you’re tracking these kinds of threats, dig into the infrastructure behind them.
I’ll be keeping an eye on how this campaign evolves, and I expect we’ll see even more creative phishing lures in the future.
Want to Explore the Data Yourself?
With Censys, you can map out these kinds of threats in real time—tracking new domains, identifying hosting patterns, and spotting infrastructure changes as they happen. If you’re curious, check out the Censys Platform and start exploring.
Stay skeptical. Stay aware. And if a text out of nowhere claims you owe money for a toll, it’s probably a scam.
Indicators
References
Censys Queries
Articles and Advisories
