{"id":3939,"date":"2025-05-14T10:03:27","date_gmt":"2025-05-14T10:03:27","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/05\/14\/hacking-abusing-govdelivery-for-txtag-toll-charges-phishing-attack\/"},"modified":"2025-05-14T10:03:27","modified_gmt":"2025-05-14T10:03:27","slug":"hacking-abusing-govdelivery-for-txtag-toll-charges-phishing-attack","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/05\/14\/hacking-abusing-govdelivery-for-txtag-toll-charges-phishing-attack\/","title":{"rendered":"Hacking Abusing GovDelivery For TxTag \u2018Toll Charges\u2019 Phishing Attack"},"content":{"rendered":"

Hacking Abusing GovDelivery For TxTag \u2018Toll Charges\u2019 Phishing Attack
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A sophisticated phishing operation<\/a> exploiting compromised Indiana government sender accounts to distribute fraudulent TxTag toll collection messages.\u00a0<\/p>\n

The campaign, which emerged this week, leverages the GovDelivery communications platform to lend legitimacy to the scam emails targeting unsuspecting recipients nationwide.<\/p>\n

Sophisticated Phishing Targets Indiana Toll Users\u00a0<\/strong><\/h2>\n

The phishing emails, which appear to originate from legitimate Indiana government email addresses like DLGF@public.govdelivery.com, inform recipients of fictitious unpaid toll charges.\u00a0<\/p>\n

The attackers utilized newly registered look-alike domains hosting convincing TxTag payment portals designed specifically to harvest sensitive information.<\/p>\n

\u201cThe phishing emails used newly registered look-alike domains hosting fake TxTag pages designed to steal personal info, credit card data, and one-time passcode (OTP)<\/a>,\u201d Trustwave SpiderLabs report shared with Cyber Security News.<\/p>\n

\n
\"\"<\/figure>\n<\/div>\n

Technical analysis revealed sophisticated data exfiltration methods employed by the attackers.\u00a0<\/p>\n

The fraudulent websites not only collect victim information through POST requests to endpoints like https:\/\/txtag-us.xyz\/api\/client\/* but also maintain persistent WebSocket connections (wss:\/\/txtag-us.xyz\/sync-message) enabling real-time session monitoring.\u00a0<\/p>\n

This allows attackers to track victim interactions with the phishing site and potentially bypass security measures.<\/p>\n

Exploitation of Government Email Infrastructure<\/strong><\/h2>\n

The Indiana Office of Technology (IOT) confirmed that the phishing campaign stems from a security breach involving a former government contractor.\u00a0<\/p>\n

The Indiana Office of Technology said the scam emails are linked to a private vendor whose contract with the state ended last year, but apparently did not remove the state\u2019s account from its system.<\/p>\n

\n
\"\"<\/figure>\n<\/div>\n

Investigations revealed<\/a> that although the state\u2019s contract with GovDelivery ended on December 31, 2024, the associated account remained active.\u00a0<\/p>\n

This oversight provided an attack vector for malicious actors who compromised a contractor\u2019s credentials, gaining access to GovDelivery\u2019s email distribution capabilities that reach millions of subscribers.<\/p>\n

Indiana Secretary of State Diego Morales issued an urgent warning on May 13, 2025: \u201cThese scams are dangerous, deceptive, and disruptive. I want to remind all Hoosiers to be cautious before opening emails and clicking on any unsolicited links, especially those that request personal information or direct you to unfamiliar websites. Your security is our top priority\u201d.<\/p>\n

The IOT emphasized that legitimate government agencies do not send toll notifications via email or text.\u00a0<\/p>\n

Similar warnings have been issued in other states, with the Illinois Tollway confirming they \u201cDO NOT use non-tollway entities \u2013 third-party websites \u2013 to collect or modify customer account information\u201d.<\/p>\n

Protective Measures<\/strong><\/h2>\n

Security experts recommend that recipients of these emails:<\/p>\n