BURSTA sophisticated phishing campaign targeting employees with fake toll payment notices has been identified, combining government domain spoofing with social engineering tactics.
The attackers craft messages claiming to be from TxTag, warning recipients that their accounts face suspension unless outstanding balances are paid immediately.
This campaign leverages urgency and fear to compel victims into clicking malicious links that lead to credential theft.
The phishing emails employ a particularly deceptive technique by utilizing an actual government delivery system to enhance legitimacy.
Messages appear to originate from official channels, displaying government domains that many security systems would typically trust.
However, there’s a notable discrepancy: while the emails claim to represent Texas toll authorities, they actually use Indiana’s GovDelivery instance—a subtle but critical indicator of the fraud.
Cofense researchers identified this campaign through their Phishing Defense Center (PDC), noting that the attack demonstrates increasing sophistication in how threat actors impersonate trusted entities.
When recipients click the embedded link, they’re directed to a convincing replica of a TxTag payment portal at “txtag-help[.]xyz,” where a multi-stage information harvesting operation begins.
The infection mechanism represents a carefully orchestrated sequence designed to maximize data collection while maintaining the illusion of legitimacy.
.webp)
Initially, victims encounter a welcome page displaying a TxTag logo and notification of a modest $6.69 outstanding balance.
This relatively small amount is strategically chosen to seem plausible while not raising immediate suspicion.
Credential Harvesting Methodology
After proceeding, victims encounter a form requesting extensive personal information—full name, email address, phone number, and complete mailing address.
.webp)
Unlike legitimate toll payment systems, this phishing site doesn’t require login credentials, an oversight that security-conscious users might notice.
The attackers’ primary objective becomes clear in the subsequent screen, where victims are prompted to enter complete payment card details including card number, expiration date, and security code.
The campaign employs validation techniques to ensure quality of harvested data, requiring correct CVV digit counts before allowing form submission.
.webp)
Upon completion, victims see a fake “Payment is processing” message, potentially followed by an error claiming the card isn’t supported—prompting entry of additional payment methods and expanding the attackers’ haul of financial credentials.
These tactics exemplify how modern phishing operations combine technical deception with psychological manipulation, bypassing traditional security measures while exploiting human trust in governmental authorities and fear of penalties.
Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free trial
The post New TxTag Phishing Attack Leverages .gov Domain to Trick Employees appeared first on Cyber Security News.