Phishing in the Balkans: Fake Traffic Fines, Real Losses
An active SMS phishing campaign targets Serbian road users by impersonating Putevi Srbije, Serbia's state road authority. Victims receive text messages claiming they have unpaid traffic fines with urgent payment demands. The fraudulent links lead to cloned government websites designed to steal payment card details. The infrastructure employs JavaScript-based obfuscation techniques to evade automated security scanners and uses disposable domains with uncommon TLDs. Technical analysis reveals connections to both Darcula and Phoenix Phishing-as-a-Service platforms, indicating fraudsters are combining tools from multiple PhaaS vendors. The operation demonstrates coordinated roles including infrastructure setup, SMS distribution, and data harvesting. Similar campaigns have targeted victims globally across government bodies, postal services, and financial institutions.
AI Analysis
Technical Summary
This threat involves a coordinated SMS phishing (smishing) campaign focused on Serbian road users, impersonating Putevi Srbije, the national road authority. The attackers send fraudulent messages claiming unpaid traffic fines, directing victims to cloned government websites to harvest payment card information. The phishing infrastructure employs JavaScript-based obfuscation techniques to avoid automated security scanners and uses numerous disposable domains with uncommon top-level domains. Technical analysis links the operation to multiple Phishing-as-a-Service platforms, specifically Darcula and Phoenix, indicating a combination of tools and roles such as infrastructure setup, SMS distribution, and data harvesting. The campaign is part of a broader trend of phishing attacks targeting government bodies, postal services, and financial institutions worldwide.
Potential Impact
Victims risk financial loss due to theft of payment card details after interacting with the fraudulent websites. The campaign undermines trust in legitimate government communications and may lead to broader financial fraud. The use of obfuscation and disposable domains complicates detection and mitigation efforts.
Mitigation Recommendations
No official patch or fix applies as this is a phishing campaign. Defenders should block and monitor the listed malicious domains to prevent access. Public awareness campaigns targeting Serbian road users can reduce victimization. Security teams should update spam and phishing filters to detect messages impersonating Putevi Srbije. Since this is not a software vulnerability, remediation focuses on user education and domain blocking.
Affected Countries
Serbia
Indicators of Compromise
- domain: entry.target
- domain: puteva.cc
- domain: putevi-srbbqfije.com
- domain: putevi-srbije.help
- domain: putevi-srbije.icu
- domain: putevi-srbijeaf.help
- domain: putevi-srbijeag.help
- domain: putevi-srbijeah.help
- domain: putevi-srbijeah.homes
- domain: putevi-srbijeba.homes
- domain: putevi-srbijebc.homes
- domain: putevi-srbijezt.homes
- domain: putevi-srbile.help
- domain: putevi-srbtrfije.com
- domain: putevie-srbije.help
- domain: putevii-srbije.help
- domain: putevis-srbbije.top
- domain: putevis-srbiiossje.top
- domain: putevismetc.cc
- domain: putevissdeoetc.top
- domain: putevisteetc.cc
- domain: putevs.cc
- domain: putevti-srbije.help
- domain: putevi-srbije.gbgwsq.homes
- domain: putevi-srbije.xkuckx.homes
Phishing in the Balkans: Fake Traffic Fines, Real Losses
Description
An active SMS phishing campaign targets Serbian road users by impersonating Putevi Srbije, Serbia's state road authority. Victims receive text messages claiming they have unpaid traffic fines with urgent payment demands. The fraudulent links lead to cloned government websites designed to steal payment card details. The infrastructure employs JavaScript-based obfuscation techniques to evade automated security scanners and uses disposable domains with uncommon TLDs. Technical analysis reveals connections to both Darcula and Phoenix Phishing-as-a-Service platforms, indicating fraudsters are combining tools from multiple PhaaS vendors. The operation demonstrates coordinated roles including infrastructure setup, SMS distribution, and data harvesting. Similar campaigns have targeted victims globally across government bodies, postal services, and financial institutions.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a coordinated SMS phishing (smishing) campaign focused on Serbian road users, impersonating Putevi Srbije, the national road authority. The attackers send fraudulent messages claiming unpaid traffic fines, directing victims to cloned government websites to harvest payment card information. The phishing infrastructure employs JavaScript-based obfuscation techniques to avoid automated security scanners and uses numerous disposable domains with uncommon top-level domains. Technical analysis links the operation to multiple Phishing-as-a-Service platforms, specifically Darcula and Phoenix, indicating a combination of tools and roles such as infrastructure setup, SMS distribution, and data harvesting. The campaign is part of a broader trend of phishing attacks targeting government bodies, postal services, and financial institutions worldwide.
Potential Impact
Victims risk financial loss due to theft of payment card details after interacting with the fraudulent websites. The campaign undermines trust in legitimate government communications and may lead to broader financial fraud. The use of obfuscation and disposable domains complicates detection and mitigation efforts.
Mitigation Recommendations
No official patch or fix applies as this is a phishing campaign. Defenders should block and monitor the listed malicious domains to prevent access. Public awareness campaigns targeting Serbian road users can reduce victimization. Security teams should update spam and phishing filters to detect messages impersonating Putevi Srbije. Since this is not a software vulnerability, remediation focuses on user education and domain blocking.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.group-ib.com/blog/balkans-fake-traffic-fines-phishing/"]
- Adversary
- null
- Pulse Id
- 6a4545d3f23bbaf07db98a73
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainentry.target | — | |
domainputeva.cc | — | |
domainputevi-srbbqfije.com | — | |
domainputevi-srbije.help | — | |
domainputevi-srbije.icu | — | |
domainputevi-srbijeaf.help | — | |
domainputevi-srbijeag.help | — | |
domainputevi-srbijeah.help | — | |
domainputevi-srbijeah.homes | — | |
domainputevi-srbijeba.homes | — | |
domainputevi-srbijebc.homes | — | |
domainputevi-srbijezt.homes | — | |
domainputevi-srbile.help | — | |
domainputevi-srbtrfije.com | — | |
domainputevie-srbije.help | — | |
domainputevii-srbije.help | — | |
domainputevis-srbbije.top | — | |
domainputevis-srbiiossje.top | — | |
domainputevismetc.cc | — | |
domainputevissdeoetc.top | — | |
domainputevisteetc.cc | — | |
domainputevs.cc | — | |
domainputevti-srbije.help | — | |
domainputevi-srbije.gbgwsq.homes | — | |
domainputevi-srbije.xkuckx.homes | — |
Threat ID: 6a4b7e2227e9c7971947a2b6
Added to database: 07/06/2026, 10:06:26 UTC
Last enriched: 07/06/2026, 10:21:33 UTC
Last updated: 07/06/2026, 20:52:47 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.