Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Phishing in the Balkans: Fake Traffic Fines, Real Losses

0
Medium
Published: 07/01/2026 (07/01/2026, 16:52:35 UTC)
Source: AlienVault OTX General

Description

An active SMS phishing campaign targets Serbian road users by impersonating Putevi Srbije, Serbia's state road authority. Victims receive text messages claiming they have unpaid traffic fines with urgent payment demands. The fraudulent links lead to cloned government websites designed to steal payment card details. The infrastructure employs JavaScript-based obfuscation techniques to evade automated security scanners and uses disposable domains with uncommon TLDs. Technical analysis reveals connections to both Darcula and Phoenix Phishing-as-a-Service platforms, indicating fraudsters are combining tools from multiple PhaaS vendors. The operation demonstrates coordinated roles including infrastructure setup, SMS distribution, and data harvesting. Similar campaigns have targeted victims globally across government bodies, postal services, and financial institutions.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/06/2026, 10:21:33 UTC

Technical Analysis

This threat involves a coordinated SMS phishing (smishing) campaign focused on Serbian road users, impersonating Putevi Srbije, the national road authority. The attackers send fraudulent messages claiming unpaid traffic fines, directing victims to cloned government websites to harvest payment card information. The phishing infrastructure employs JavaScript-based obfuscation techniques to avoid automated security scanners and uses numerous disposable domains with uncommon top-level domains. Technical analysis links the operation to multiple Phishing-as-a-Service platforms, specifically Darcula and Phoenix, indicating a combination of tools and roles such as infrastructure setup, SMS distribution, and data harvesting. The campaign is part of a broader trend of phishing attacks targeting government bodies, postal services, and financial institutions worldwide.

Potential Impact

Victims risk financial loss due to theft of payment card details after interacting with the fraudulent websites. The campaign undermines trust in legitimate government communications and may lead to broader financial fraud. The use of obfuscation and disposable domains complicates detection and mitigation efforts.

Mitigation Recommendations

No official patch or fix applies as this is a phishing campaign. Defenders should block and monitor the listed malicious domains to prevent access. Public awareness campaigns targeting Serbian road users can reduce victimization. Security teams should update spam and phishing filters to detect messages impersonating Putevi Srbije. Since this is not a software vulnerability, remediation focuses on user education and domain blocking.

Affected Countries

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.group-ib.com/blog/balkans-fake-traffic-fines-phishing/"]
Adversary
null
Pulse Id
6a4545d3f23bbaf07db98a73
Threat Score
null

Indicators of Compromise

Domain

ValueDescriptionCopy
domainentry.target
domainputeva.cc
domainputevi-srbbqfije.com
domainputevi-srbije.help
domainputevi-srbije.icu
domainputevi-srbijeaf.help
domainputevi-srbijeag.help
domainputevi-srbijeah.help
domainputevi-srbijeah.homes
domainputevi-srbijeba.homes
domainputevi-srbijebc.homes
domainputevi-srbijezt.homes
domainputevi-srbile.help
domainputevi-srbtrfije.com
domainputevie-srbije.help
domainputevii-srbije.help
domainputevis-srbbije.top
domainputevis-srbiiossje.top
domainputevismetc.cc
domainputevissdeoetc.top
domainputevisteetc.cc
domainputevs.cc
domainputevti-srbije.help
domainputevi-srbije.gbgwsq.homes
domainputevi-srbije.xkuckx.homes

Threat ID: 6a4b7e2227e9c7971947a2b6

Added to database: 07/06/2026, 10:06:26 UTC

Last enriched: 07/06/2026, 10:21:33 UTC

Last updated: 07/06/2026, 20:52:47 UTC

Views: 7

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses