Hello and welcome to the Thursday, February 6th, 2025 edition of the Sands-Itonet Storm Center's

Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Well, today I wrote up some of these toll-smishing attacks. You probably got a few of them yourself over the last year or so the

setup is always the same. You're receiving a smishing message telling you that you're overdue

and paying the tolls, the highway tolls for your car, and it offers you a link to who then

pay the tolls.

Now, the attackers here are pretty good in sort of customizing these messages somewhat.

For example, myself living in Florida,

I am usually receiving messages on my Florida phone number

that refer to Sunpass, the Florida toll system.

The domains being used here often use Sunpass as part of the host name.

So a typical host name would be Sunpass.com, then a dash followed by some random characters.

And that's something that you may be able to use to detect users in your network

that may have fallen for one of these scams.

Take a look if there were any DNS lookups or HTTP requests for anything where the domain

name starts with Com Dash.

We do see about 100 to 500 of these domains being registered daily.

I don't think block lists are that effective because these domains are very ephemeral.

They use them only for a very short time.

But in hindsight, it may help your users if you identify anybody who may have

clicked on one of those links. Very importantly with these links, they usually tell you to reply

to the message with a why. This is in order to make it more difficult for phone companies

...