Recognizing Patterns in the Toll Road Phishing Campaigns
Article publication date: 20 May 2025.
If you have a cellphone you’ve probably seen it: an SMS text notifying you of overdue toll road payments, urging you to follow a link to a questionable URL made up of random letters with a TLD you don’t recognize. Toll road phishing domains are a massive abuse campaign that has occurred this year, and analyzing this trend can highlight the necessity of pattern detection in domains registrations and abuse campaigns.
Over the past three months, CleanDNS saw an enormous increase in abusive domains related to toll road phishing, many of which were registered in bulk and followed the same naming convention. From February to April of 2025, the widespread phishing campaign proliferated across the Internet, duping unsuspecting users into believing that they had overdue tolls, and attempting to obtain personal information once a user followed the link. These phishing domains are primarily delivered via SMS, prompting the recipient to click on a link to pay or view their fine. Although initially targeting users in the United States of America, the toll road phishing campaign quickly expanded to other countries. Domains within this campaign typically follow a TLD-letter pattern and are registered in bulk, targeting toll, postal, and government service companies.
CleanDNS began seeing reports for toll road phishing domains in early February 2025, and has seen a skyrocketing of abuse in the months following. At CleanDNS, we are focused on shifting the abuse mitigation process from one that is reactive, to one that is also inherently exploratory and anticipatory. Our pattern detection tools and evidence categorization model allowed us to detect and take proactive action against domains that are part of these campaigns. With our evidence-based approach to abuse mitigation and disruption, CleanDNS was able to uncover webs of abuse that lay beneath individual abuse reports. Without these capabilities, the domains within these campaigns could have previously gone undetected; due to their seemingly randomized naming convention, users may not initially have been able to point out something phishy about the link they were asked to follow.
This trend highlights how pattern detection, widespread abuse reporting, and each individual abuse report can contribute to proactive action to weed out an entire ecosystem of abuse. The toll road phishing campaign appears to be slowing down at present through the proactive action taken, but it remains a prime example of how quickly abuse trends can spread, and the importance of early action and disruption to minimize victimization.
CleanDNS is dedicated to detecting, evidencing, disrupting, and mitigation abuse and online harms as a part of our mission to Clean Up the Internet for Good. You can read more about how CleanDNS connects the dots from single abuse report to domain ecosystem in our recent article here, penned by CleanDNS CTO Rick Hansen.
###
For questions about CleanDNS’ actionable, affordable, streamlined solution for abuse management and online harm mitigation, contact our team to learn more.