Article Details

CTM360 Tracks Global Surge in SMS-Based Reward and Toll Scams. CTM360 has observed a notable surge in two SMS-based phishing campaigns: PointyPhish (reward scams) and TollShark (toll payment scams). PointyPhish is linked to over 3,000 domains and phishing sites, preying on urgency by claiming expiring reward points to trick customers into fraudulent sites that steal payment details Similarly, TollShark involves over 2,000 domains and phishing sites, exploiting fears of unpaid tolls to capture sensitive information from unsuspecting individuals. CTM360 detected thousands of these phishing sites across multiple countries, indicating that this isn’t just a localized issue — it’s a coordinated, global effort. The widespread nature of these attacks shows a clear intent to target individuals at scale, with the goal of stealing sensitive financial data. The impact is far-reaching, affecting not just one region but thousands of customers of various brands worldwide. At the core of these campaigns is Darcula Suite, a powerful Phishing-as-a-Service (PhaaS) platform. Built on React and Docker, Darcula enables cybercriminals to launch phishing sites in under 10 minutes. It supports multi-channel SMS delivery (including iMessage and RCS), making the websites harder to detect and easier to scale globally. Two Different Campaigns, One Common Tactic Both attacks are simple in structure: they begin with SMS distribution, create urgency, impersonate a trusted brand, and lead customers into giving up payment details. Read our new PlayPraetor report to explore behaviors, detection insights CTM360 has now identified a much larger extent of the ongoing PlayPraetor campaign. What started with 6,000+ URLs linked to a specific banking attack has now grown to 16,000+ impersonation sites across multiple malware variants. This research is ongoing, with further discoveries expected in the coming days. How It Works – Step by Step CTM360’s threat analysts mapped out the entire attack lifecycle using the CTM360 Scam Navigator and analyzed each step in detail. Inside Darcula: A Glimpse Into PhaaS Darcula isn’t just a phishing kit — it’s a full PhaaS platform for scams. While tracking these campaigns, CTM360 uncovered an exposed admin panel used by attackers managing Darcula Suite. This offers a rare window into how these phishing operations are run: Read the full PointyPhish & TollShark Report For a deeper look into the campaigns. including screenshots, domain samples and insights into how the scams are structured and operate on a global scale, read the full report at https://www.ctm360.com/reports/pointyphish-tollshark. Sponsored and written by CTM360.