CTM360 Tracks Global Surge in SMS-Based Reward and Toll Scams
CTM360发现两种短信钓鱼攻击PointyPhish和TollShark,分别利用奖励积分过期和未付 toll 的威胁诱骗用户进入钓鱼网站窃取支付信息,并使用Darcula Suite平台进行全球大规模攻击。 2025-4-17 15:0:32 Author: www.bleepingcomputer.com(查看原文) 阅读量:2 收藏

CTM360 report

CTM360 has observed a notable surge in two SMS-based phishing campaigns: PointyPhish (reward scams) and TollShark (toll payment scams).

PointyPhish is linked to over 3,000 domains and phishing sites, preying on urgency by claiming expiring reward points to trick customers into fraudulent sites that steal payment details

Similarly, TollShark involves over 2,000 domains and phishing sites, exploiting fears of unpaid tolls to capture sensitive information from unsuspecting individuals.

CTM360 detected thousands of these phishing sites across multiple countries, indicating that this isn’t just a localized issue — it’s a coordinated, global effort. The widespread nature of these attacks shows a clear intent to target individuals at scale, with the goal of stealing sensitive financial data.

The impact is far-reaching, affecting not just one region but thousands of customers of various brands worldwide.

At the core of these campaigns is Darcula Suite, a powerful Phishing-as-a-Service (PhaaS) platform. Built on React and Docker, Darcula enables cybercriminals to launch phishing sites in under 10 minutes.

It supports multi-channel SMS delivery (including iMessage and RCS), making the websites harder to detect and easier to scale globally.

Two Different Campaigns, One Common Tactic

  1. PointyPhish – Sends fake SMS alerts about expiring reward points to banking, airline, and retail store customers, leading to phishing pages that steal full credit/debit card details.
  1. TollShark – Poses as road toll authorities, warning of unpaid bills and fines. Victims are directed to fake payment pages that collect personal and financial data.

Both attacks are simple in structure: they begin with SMS distribution, create urgency, impersonate a trusted brand, and lead customers into giving up payment details.

Toll Shark phishing texts

How It Works – Step by Step

Scam stages

CTM360’s threat analysts mapped out the entire attack lifecycle using the CTM360 Scam Navigator and analyzed each step in detail.

  1. SMS distribution:
    Messages create urgency, either a toll is unpaid, or points are about to expire.
  2. Fake landing pages:
    Victims are redirected to phishing sites mimicking real brands.
  3. Engagement & bait:
    Victims are asked to redeem points or pay tolls to avoid penalties.
  4. Data collection:
    Personal data is harvested under the guise of verification.
  5. Payment data theft:
    Victims are tricked into entering card info, which is logged instantly.

Inside Darcula: A Glimpse Into PhaaS

Darcula isn’t just a phishing kit — it’s a full PhaaS platform for scams. While tracking these campaigns, CTM360 uncovered an exposed admin panel used by attackers managing Darcula Suite.

This offers a rare window into how these phishing operations are run:

  • Centralized campaign management: Multiple attacker accounts running parallel campaigns.
  • Live victim logging: IP addresses, device info, user agents, and form data are captured in real-time.
  • Subscription-based access: Attackers operate on a tiered model with account-based controls.
  • SMS configuration tools: Built-in tools to manage target regions and message templates.

Read the full PointyPhish & TollShark Report

For a deeper look into the campaigns. including screenshots, domain samples and insights into how the scams are structured and operate on a global scale, read the full report at https://www.ctm360.com/reports/pointyphish-tollshark.

Sponsored and written by CTM360.


文章来源: https://www.bleepingcomputer.com/news/security/ctm360-tracks-global-surge-in-sms-based-reward-and-toll-scams/
如有侵权请联系:admin#unsafe.sh