Introduction

Government services are increasingly relying on SMS as a channel to send notifications such as fines, toll reminders and payment alerts. It is fast, convenient, and the general public tends to trust a text from an official sender. This trust is what scammers are looking to take advantage of.

Group-IB researchers have been tracking a smishing campaign that is impersonating the identity of Putevi Srbije, Serbia’s state road authority. Victims get a text claiming they have an unpaid traffic fine. They click a link. They land on a fake government website that looks real enough to fool most people. They enter their card details. And then the money is gone.

While this blog tracks a localized campaign, the scheme is not a one-off. The infrastructure and methods point to two well-known Phishing-as-a-Service (PhaaS) platforms: Darcula and Phoenix. Both have been used to run similar campaigns against victims in dozens of countries. According to a previous Group-IB research titled ”The Rise of Fake Shipment Tracking Scams in MEA”, Darcula is a Chinese-language PhaaS platform that first appeared in 2023 and has since been tied to attacks on government bodies, airlines, postal services, and financial institutions worldwide. Phoenix, documented in separate Group-IB research titled “Phoenix Rising”, operates through a centralized administrative panel that lets operators manage multiple phishing campaigns across different countries and industries.

This blog explains how the scam scheme works, why it’s linked to these PhaaS kits, and what the indicators look like.

Key discoveries

  • An active smishing campaign impersonates Putevi Srbije, Serbia’s state road authority, sending fake unpaid traffic fine notifications by SMS.
  • Fraudulent websites cloning the official government payment portal were created to steal victims’ payment card details.
  • The phishing pages use JavaScript to hide malicious content from security scanners, making automated detection and takedown significantly harder.
  • The campaign’s infrastructure, methods, and structure are consistent with the Darcula and Phoenix PhaaS platforms.

Who may find this blog interesting:

  • Cybersecurity and fraud teams
  • Law enforcement investigators
  • Cyber security researchers
  • Government agencies and public sector IT teams
  • Banking and financial institutions
  • Informed online consumers

Group-IB Threat Intelligence and Fraud Protection Portals:

Group-IB customers can access our Threat Intelligence and Fraud Protection portals for more information about the scam scheme described in this blog:

Fake Traffic Fines SMS Phishing Campaign

Analysis of the Scam Scheme

The text message

The victims initially receive a text message saying that an unpaid traffic fine registered by the Serbian road authority is awaiting payment. The message also specifies that if the fine is not paid in the given timeframe, the price of the fine will increase. The link in the message looks legitimate and the urgent tone of the message influences the victims.

This kind of trick works because it plays on something of which people are naturally afraid : getting in trouble with official authorities. Such tricks do not need specific technical skills to be implemented, that is why the scheme is highly popular

The fake website

The fraudulent link in the malicious sms redirects the victim to a cloned website. It has accurate logos, colors, and language. It looks like a legitimate government payment portal. The victim is asked to confirm their personal details and to pay the fine, i.e. entering their card number, expiry date, and CVV.

To make it look more legit, the page may show fake case reference numbers and various timestamps as if the violation was already on record in an official system. Some versions also include a deadline of payment, to avoid the fine increasing. All of this is designed to make the victim pay as fast as possible.

What happens next

As soon as the victims submit their card details, the latter are sent straight to the attackers. From there, the data can be used immediately for fraudulent purchases, sold in underground markets, or saved for follow-up scams. Most victims only realize what happened when they see an unexpected charge in their bank account.

The Darcula connection

The technical setup behind this campaign is consistent with what Group-IB and other researchers have documented for Darcula. Darcula, a Chinese-language PhaaS platform containing more than 200 phishing templates, shares similar infrastructure characteristics as the one used in this campaign. The platform targets users from all over the world by impersonating government bodies, postal services, financial institutions, and more.

What we observed in this Serbian campaign fits the pattern: use of disposable domains that mimic a trusted authority, use of cloned websites that harvests card data, use of JavaScript to hide the scam from automated scanning tools, and fast infrastructure rotation to stay ahead of takedowns.

The Phoenix connection

A subset of the domains in this campaign are also consistent with Phoenix, another PhaaS platform that Group-IB researchers uncovered while analyzing global smishing operations spanning APAC, LATAM, Europe, and MEA. Phoenix is built around a centralized administrative panel that allows operators to manage multiple phishing campaigns simultaneously across different countries and industries.

How the pages hide from scanners

The phishing infrastructure analyzed in this blog relies on lightweight, disposable web components designed to evade automated detection while remaining fully functional for end users. One interesting observation, amongst others, is the use of client-side content obfuscation implemented through JavaScript across the landing pages. The visible page text is not embedded directly in the HTML but stored in encoded form and dynamically rendered on the browser at runtime. This approach makes it way more difficult to detect the phishing pages during static inspection due to the absence of critical scam-related keywords from the raw source code.

Below are some examples of the template pages observed to be part of this scam scheme that are used to avoid automated detection.

The obfuscation mechanism uses HTML elements and attributes to hide encoded content. This content is decoded only after the webpage has finished loading or when certain sections of the page come into view. Through these techniques of delaying execution and rendering content based on the user’s viewpoint, automated programs, security scanners or browsers without a user interface will unlikely be able to fully process and capture the content. This behavior indicates that the attackers are trying to avoid detection by signature-based systems and automated takedown mechanisms.

Additionally, the decoding logic is designed to operate continuously, monitoring for newly injected content and ensuring that dynamically loaded elements are rendered correctly for the victim. This shows that the infrastructure is optimized for scalability and reuse, allowing the same phishing framework to be rapidly deployed across multiple domains with minimal modification. Such obfuscation techniques significantly increase the resilience of the phishing infrastructure, and are consistent with modern fraud operations that prioritize speed, low cost, and evasion over complex backend systems.

The core decoder function

window.decodeObfuscatedContent = function(rootElement) {
  const root = rootElement || document.body;
  const elements = root.querySelectorAll('z-span[data-preload="true"],
 z-strong[data-preload="true"]');
  if (elements.length === 0) return;

This defines the main decoding function and makes it globally accessible. It scans the page for custom HTML elements (z-span and z-strong) that carry encoded text and are flagged.

Decoding each element

 const decodedWord = decodeURIComponent(atob(dataAttr));
el.setAttribute('data-content', decodedWord);
el.removeAttribute('data-preload');

For each flagged element, the script extracts the encoded text stored in a data-data attribute, decodes it from Base64, and injects the readable text into the page.

 Idle execution

 const runWhenIdle = window.requestIdleCallback || function(cb) { setTimeout(cb, 1); };
runWhenIdle(() => { ... });

The decoding is scheduled to run during idle browser time rather than immediately. This avoids blocking the page from rendering and reduces the chance that automated scanners capture the decoded content during a timed page load.

Initial page load trigger

 if (document.readyState === 'loading') {
  document.addEventListener('DOMContentLoaded', function() {
    window.decodeObfuscatedContent();
  });
} else {
  window.decodeObfuscatedContent();
}

Once the page finishes loading, the decoder runs once across the entire page to catch all elements present at load time.

Viewport-based decoding

const decodeObserver = new IntersectionObserver(
  (entries, observer) => {
    if (entry.isIntersecting) {
      window.decodeObfuscatedContent(entry.target);
      observer.unobserve(entry.target);
    }
  },
  { rootMargin: '200px 0px' }
);

This uses the browser’s IntersectionObserver API to decode content only when a section of the page is about to scroll into the user’s view.

Continuous monitoring for new content

setInterval(observeContainers, 2000);

Every two seconds, the script scans the page for any newly added encoded elements and registers them for decoding.

How the operation is structured

This scheme involves multiple stages and actions, which suggests a co-ordinated operation run by a team of fraudsters with dedicated roles to play, rather than a single individual:

  • Infrastructure set up: Registration of deceptive domains, building of cloned websites imitating official government or transportation portals. Maintaining hosting infrastructure, often using content delivery networks or proxy services such as Cloudflare to obscure the origin of the operation and maintain anonymity.
  • Traffic distribution: Handling of large-scale SMS delivery, frequently leveraging SMS spoofing or bulk messaging services to make the sender appear as a trusted or official entity.
  • Data harvesting: Collecting and exploiting stolen information, including payment card details, personal data, and authentication credentials, for direct fraud or resale in underground markets.

Conclusion

The rise of scams like this one in Serbia shows how easily attackers can exploit public trust in government services. By mimicking official road authorities and using technical tricks to hide from security systems, fraudsters have built an effective machine for stealing payment details.

This campaign also shows something worth noting: it carries signs of both Darcula and Phoenix, two separate PhaaS platforms, working within the same operation. Defenders should not assume that one campaign means one platform. Fraudsters can now mix and match tools from different kits, showing just how accessible these platforms have become.

Whether you are an individual or part of an organization, staying alert, verifying sources directly, and questioning unexpected requests for payment remain your best defenses. Urgency and official looking messages are red flags, no matter which platform is behind them.

Recommendations

  • Never click on links sent via SMS claiming you owe a fine or fee. Instead, go directly to the official government website by typing the address manually and verify whether any outstanding fine exists through official channels.
  • Be suspicious of urgent warnings that demand immediate action. Smishing messages are designed to pressure victims into paying before they stop to think.
  • Check the sender: official government authorities do not demand urgent payment through unsolicited SMS links.
  • Look for domain red flags. Fraudulent domains associated with this campaign use uncommon TLDs such as [.]top, [.]icu, [.]cc, and [.]homes.
  • Triple check before entering any payment information online. If you have already submitted card details on a suspicious page, contact your bank immediately to dispute charges and request a replacement card.
  • Government agencies and public sector organizations should regularly publish alerts about active impersonation campaigns, share examples of fraudulent messages, and maintain a clear public reporting channel.
  • Employ a brand protection service that actively monitors for fake domains and fraudulent pages impersonating your organization, such as Group-IB’s Digital Risk Protection Platform.

Frequently Asked Questions (FAQ)

What is Phishing-as-a-Service (PhaaS)?

arrow_drop_down

Phishing-as-a-Service (PhaaS) is a scalable, subscription-based cybercrime model that lowers the technical barrier to entry for threat actors. By using a PhaaS, cybercriminals can rapidly deploy fraudulent campaigns and replicate proven attack workflows with minimal technical overhead.

It is a similar operating model to Ransomware-as-a-Service (RaaS), which you can read more about on the Group-IB Knowledge Hub.

What is notable about this campaign?

arrow_drop_down

Indications that two separate PhaaS platforms–Darcula and Phoenix–were used in a single operation demonstrate that fraudsters are now able to mix and match tools from different vendors.

Who are the targets of this phishing scheme?

arrow_drop_down

Fraudsters behind this scheme primarily target Serbian road users through the impersonation of the Serbian road transport authority and sending fake traffic fine notifications through SMS phishing.

How are victims affected?

arrow_drop_down

Victims tricked into paying the fake fine through the phishing website have their banking card and payment data stolen. This data can be used to incur other fraudulent charges or sold on the dark web.

Group-IB Fraud Matrix

Phishing Balkans - Fraud Matrix

Indicators of Compromise (IOCs)

Darcula connected

putevs[.]cc
putevie-srbije[.]help
putevti-srbije[.]help
putevii-srbije[.]help
putevi-srbile[.]help
putevi-srbijezt[.]homes
puteva[.]cc
putevi-srbije[.]help

Phoenix connected

putevis-srbbije[.]top
putevisteetc[.]cc
putevi-srbije[.]icu
putevismetc[.]cc
putevi-srbijebc[.]homes
putevi-srbijeba[.]homes
putevi-srbijeah[.]homes
putevi-srbijeaf[.]help
putevissdeoetc[.]top
putevi-srbtrfije[.]com
putevi-srbbqfije[.]com
putevi-srbijeag[.]help
putevi-srbijeah[.]help
putevi-srbije.gbgwsq[.]homes
putevi-srbije.xkuckx[.]homes
putevis-srbiiossje[.]top

DISCLAIMER: All technical information, including malware analysis, indicators of compromise and infrastructure details provided in this publication, is shared solely for defensive cybersecurity and research purposes. Group-IB does not endorse or permit any unauthorized or offensive use of the information contained herein. The data and conclusions represent Group-IB’s analytical assessment based on available evidence and are intended to help organizations detect, prevent, and respond to cyber threats.

Group-IB expressly disclaims liability for any misuse of the information provided. Organizations and readers are encouraged to apply this intelligence responsibly and in compliance with all applicable laws and regulations.

This blog may reference legitimate third-party services such as Telegram and others, solely to illustrate cases where threat actors have abused or misused these platforms.

This material is provided for informational purposes, prepared by Group-IB as part of its own analytical investigation, and reflects recently identified threat activity.

All trademarks referenced herein are the property of their respective owners and are used solely for informational purposes, without any implication of affiliation or sponsorship.