DMV Phishing Scam – Cybercriminals Target U.S. Citizens for Personal Data

A sophisticated and highly coordinated phishing campaign has swept across the United States, posing as state Departments of Motor Vehicles (DMVs) and exploiting public trust in government agencies.

Since May 2025, thousands of Americans have fallen victim to convincing SMS (smishing) messages and deceptive websites designed to harvest sensitive personal and financial information.

Delivery and Deception Tactics

The campaign relied heavily on smishing attacks, where victims received texts purportedly from their local DMV.

Spoofed to appear legitimate, these messages are often sent from numbers traced to the Philippines, warning recipients of unpaid toll violations and threatening license suspension or legal consequences unless an urgent payment is made.

The texts included fake legal codes (“[State-Name] Administrative Code 15C-16.003”) and directed victims to fraudulent websites that mimicked official DMV pages.

Once users clicked the provided link, they encountered highly realistic web pages branded for their state, complete with official-looking logos and messaging about outstanding fines.

Victims were instructed to pay a nominal fee (often $6.99) and then directed to a form that requested extensive personal information, including full name, address, email, phone number, and credit card details.

Infrastructure and Attribution

Technical analysis revealed a well-organized infrastructure. Most malicious sites followed a pattern similar to https://[state_ID]dmv.gov-[4-letter-string].cfd/pay, with newly registered domains hosted across multiple IP addresses.

Notably, a significant cluster of these sites operated from the known malicious IP 49.51.75[.]162.

The phishing campaign displayed strong operational discipline. All domains leveraged the same name servers: alidns.com and dns8.alidns.com, with the SOA contact hostmaster@hichina.com—a clear marker of Chinese domain operations.

Shared frontend assets—such as JavaScript files C18UmYZN.js and fliceXIj.js, CSS C0Zfn5GX.css, and images BHcjXi3x.gif and BkBiYrmZ.svg—indicated the use of a centralized phishing kit.

Source code embedded with Chinese-language comments further reinforced attribution to a Chinese-speaking threat actor.

Threat intelligence platforms, including Cyberint, matched these artifacts to the “Lighthouse” phishing kit, which had been previously used in similar DMV-targeted campaigns.

The campaign’s scale is staggering: over 2,000 complaints were lodged with the FBI’s IC3 in a single month, and significant national media outlets, including CBS News, Fox News, and Time Magazine, have covered the scam’s impact.

Response and Protection

Authorities in affected states New York, New Jersey, Pennsylvania, Florida, Texas, and California, issued alerts and advisories, urging citizens never to respond to unsolicited text messages or share payment details online.

The campaign has prompted improved collaboration among cybersecurity teams, telecom providers, and law enforcement to block malicious domains and enhance public awareness.

Key Recommendations

• Individuals: Never trust unsolicited messages, always visit official DMV websites directly, and report suspicious texts to 7726 (SPAM) or the FTC.
• Organizations: Educate users about scams, block high-abuse TLDs at the DNS level, and implement email authentication protocols.
• Threat Intelligence Teams: Enforce IoCs in security tools and share indicators via threat intelligence platforms.

This DMV phishing scam underscores the growing sophistication of cybercriminals and the urgent need for vigilance in an increasingly digital world.