Unpaid Toll Scams Continue in 2025

Dr. Colin Strutt

In 2024, the FBI received more than 60,000 complaints about unpaid toll text scams. This form of scam uses text messages (“smishing”) to purportedly notify users of US-based highway systems that they owe payments for unpaid tolls. Recipients of such texts who respond often inadvertently end up revealing personal or credit card information.

This scam continued in January and February 2025 but has now expanded to use spam and phishing in addition to smishing. Our Cybercrime Information Center project has begun to see a large number of unpaid toll spam and phishing reports.

We were curious to see whether and to what extent deceptively composed domain names were present in these attacks. We saw evidence of increases in the following patterns appearing in domain names being used for phishing and spam:

• e-zpass

• ezpass

• ezdrive

• sunpass

• txtag

The strings e-zpass and ezpass are prominent among domain names used by a number of eastern US states; SunPass is used in Florida, and TxTag is used in Texas.

We also looked for evidence of NCQuickPass (North Carolina) and FasTrack (California) but, as yet, we saw little evidence of these strings being used as part of domain name registrations that have been reported for cybercrimes.

Let’s look at the January and February 2025 cybercrime reports for each of those domain name patterns.

E-ZPass

We found 1,241 cybercrimes with a domain name containing ‘ez-pass’. The predominant domain name pattern was e-zpass<junk>.top where <junk> was either 3 or 4 random characters – for example, e-zpassqhr.top.

Dominet (HK) was the top registrar. Most of the domain names were registered in .top and most of the scam sites were hosted at IP addresses in China.

EZPass

We found 817 cybercrimes with a domain name containing ‘ezpass’. The predominant name pattern was ezpass<junk>.top where <junk> 1-5 random characters – for example, ezpassyhh.top.

Dominet (HK) was again the top registrar. Again, most names were registered in .top and most of the scam sites were hosted at IP addresses in China.

EZDrive

We found 2,258 cybercrimes with a domain name containing ‘ezdrive’. 1,602 of those cybercrimes used a domain name containing ‘ezdrivema’ which is used for toll users in Massachusetts – for example, ezdrivema-com-yhvqp.top.

Dominet (HK) was the top registrar, but in this case, many domain names were also registered through Gname and NameSilo. The attackers again exploited .top but also registered domain names in .XIN, and .VIP (among 57 different TLDs). Again, most of the scam sites were hosted at IP addresses in China.

SunPass

We found 90 cybercrimes with a domain name containing ‘sunpass’. 37 of those cybercrimes used a domain name containing ‘sunpass-com-help’ in the .infoTLD – for example, sunpass-com-helpu.info.

Dominet (HK) and NICENIC were the predominant registrars, the domain names were mostly registered in .info, .com, and .top and (at this point, unsurprisingly) most of the scam sites were hosted in China.

TxTag

We found 1,869 cybercrimes with a domain name containing ‘txtag’. 1,562 of those cybercrimes used a domain name containing ‘org-txtagstorfront<junk>.xin’ or ‘org-txtagstorfront<junk>.world’ where <junk> is two or more random characters – for example, org-txtagstorefrontchn.xin. A further 13 used a domain name containing ‘com-txtagstorefrox<junk>.xin’ where <junk> is a single random character, and a further 86 used ‘com-txtagstoerof<junk>.top’ where <junk> is 3 random characters. Another 45 contained ‘txtag<junk>.xin’ or ‘txtag<junk>.top’ where <junk> is 2 random characters.

Dominet (HK) was the top registrar with most domain names registered in .xin, .world, and .top; most of the scam sites were hosted in China.

Domain Names Designed to Confuse

Cybercriminals choose domain names in such a way as to fool the unsuspecting user who might not look too closely at the exact construction of a URL but see enough that looks familiar to make them less suspicious.

For example, the domain name ezdrivema-com-yhvqp.top was designed to look like it was in ezdrivema.com – on a small screen, such as on a mobile phone, it is too easy to mistake the hyphen for a dot. Combine that with a web page that looks like it was from the real site and it is easy to see how a user can be fooled into believing that they are really on the real EZDriveMA.com site.

Similarly, the domain name org-txtagstorefrontchn.xin was designed to look very similar to the URL from the real TxTag site: www.txtag.org/txtagstorefront/en/

Summary

China appears to be the locus of unpaid toll scam activity. The majority of the scam domains have been registered via Dominet (HK) and the scam sites are hosted at IP addresses in China.

It is also encouraging that domain names containing ‘ezpass’ and ‘txtag’ seem not to resolve to IP addresses when checked soon after they were reported on phishing or spam lists – the implication is that they have already been taken down or otherwise blocked reasonably promptly.

Attempting to resolve a random set of the domain names to IP addresses for the patterns identified during early March 2025 shows that, where previously they had resolved, very many of the domains in .top and .xin no longer resolve to IP addresses – this seems to indicate that efforts by some parties to take down cybercrime domains are effective.

Kudos to first responders: most of these domains have been detected for cybercrimes very soon after the domain names were registered. This is no mean task, and we should appreciate their often-unobserved efforts.