BURSTA sophisticated phishing operation exploiting compromised Indiana government sender accounts to distribute fraudulent TxTag toll collection messages.
The campaign, which emerged this week, leverages the GovDelivery communications platform to lend legitimacy to the scam emails targeting unsuspecting recipients nationwide.
Sophisticated Phishing Targets Indiana Toll Users
The phishing emails, which appear to originate from legitimate Indiana government email addresses like DLGF@public.govdelivery.com, inform recipients of fictitious unpaid toll charges.
The attackers utilized newly registered look-alike domains hosting convincing TxTag payment portals designed specifically to harvest sensitive information.
“The phishing emails used newly registered look-alike domains hosting fake TxTag pages designed to steal personal info, credit card data, and one-time passcode (OTP),” Trustwave SpiderLabs report shared with Cyber Security News.
Technical analysis revealed sophisticated data exfiltration methods employed by the attackers.
The fraudulent websites not only collect victim information through POST requests to endpoints like https://txtag-us.xyz/api/client/* but also maintain persistent WebSocket connections (wss://txtag-us.xyz/sync-message) enabling real-time session monitoring.
This allows attackers to track victim interactions with the phishing site and potentially bypass security measures.
Exploitation of Government Email Infrastructure
The Indiana Office of Technology (IOT) confirmed that the phishing campaign stems from a security breach involving a former government contractor.
The Indiana Office of Technology said the scam emails are linked to a private vendor whose contract with the state ended last year, but apparently did not remove the state’s account from its system.
Investigations revealed that although the state’s contract with GovDelivery ended on December 31, 2024, the associated account remained active.
This oversight provided an attack vector for malicious actors who compromised a contractor’s credentials, gaining access to GovDelivery’s email distribution capabilities that reach millions of subscribers.
Indiana Secretary of State Diego Morales issued an urgent warning on May 13, 2025: “These scams are dangerous, deceptive, and disruptive. I want to remind all Hoosiers to be cautious before opening emails and clicking on any unsolicited links, especially those that request personal information or direct you to unfamiliar websites. Your security is our top priority”.
The IOT emphasized that legitimate government agencies do not send toll notifications via email or text.
Similar warnings have been issued in other states, with the Illinois Tollway confirming they “DO NOT use non-tollway entities – third-party websites – to collect or modify customer account information”.
Protective Measures
Security experts recommend that recipients of these emails:
- Avoid clicking any links or opening attachments in suspicious emails.
- Forward suspicious messages to proper authorities (info@getipass.com for Illinois residents).
- Contact credit card providers immediately if payment information was entered on suspicious sites.
- Verify toll charges directly through official websites (TxTag.org) or official customer service numbers (1-888-468-9824).
This incident highlights growing concerns about compromised government communication systems being weaponized for phishing campaigns.
As GovDelivery serves over 300 million subscribers worldwide, the potential impact of such breaches extends far beyond this single campaign, underscoring the critical importance of secure vendor management practices for government communications infrastructure.
Arm your business against phishing & suspicious artifacts with top threat intelligence, test TI Lookup with 50 trial requests
The post Hacking Abusing GovDelivery For TxTag ‘Toll Charges’ Phishing Attack appeared first on Cyber Security News.