Cybersecurity researchers have found almost 30 phishing sites spoofing the electronic toll collection service E-ZPass following an FBI warning last week.

The FBI said in an alert that since early March the Internet Crime Complaint Center (IC3) has received over 2,000 complaints reporting smishing texts impersonating road toll collection services from at least three states. 

Smishing is a social engineering attack using fake text messages to trick people into downloading malware, sharing sensitive information, or sending money. The complaints seen by the FBI indicate “the scam may be moving from state-to-state,” they said. 

The messages use a state toll service name and say the victim has an outstanding balance on their account. To avoid a late fee, the texts say victims need to visit a hacker-controlled website to settle the balance. 

The FBI notice does not say which states are being targeted but Pennsylvania has repeatedly warned its residents of the scams and urged victims to contact the FBI if they clicked on the link erroneously. 

The texts are largely the same for victims in each state aside from the link that it asks people to click on — all of which are designed to “impersonate the state's toll service name,” according to the FBI. The FBI added that the phone numbers appear to change between states.

Researchers from cybersecurity firm DomainTools told Recorded Future News that they have found nearly 30 newly created domains related to tolls, 15 of which have a “high chance of being weaponized for phishing, malware, or spam.” 

None of them have been blocklisted yet, according to DomainTools, which suggests that toll scams will continue on and may accelerate. 

The company’s researchers said many of the scam sites appear to target E-ZPass customers traveling on the New Jersey Turnpike as well as Florida’s SunPass. 

"The domains identified during our investigation indicate the campaign likely started in early to mid February with the threat actors representing themselves as a toll collection authority for the State of New York,” said Austin Northcutt, solutions engineer at DomainTools. 

“The campaign picked up its cadence in Mid-March when it began using New Jersey Turnpike-themed domains and then expanding to other states. As for the website being used to conduct the campaign, the threat actor appears to be using a browser filter and phishing page that only loads for mobile browsers." 

Northcutt noted that there is evidence that this a “relatively low sophisticated campaign” because the websites do not have data quality controls or checks to ensure the user input is legitimate. 

DomainTools shared screenshots showing that all the sites are directing victims to make payment or collect information that would facilitate a future payment. Many of the websites also only allow mobile traffic, they added. 

Smishing campaigns have grown in popularity among cybercriminals as websites increasingly require SMS verification.

New York City recently had to close off a website for city workers following a smishing campaign that spoofed the platform and attempted to steal login information.