🟡 Phishing SMS Impersonating Hacarmel Toll Road Targets Israeli Users

Vulnerability Snapshot

This advisory is rated HIGH — exploitation is straightforward for a motivated attacker and impact is significant. Apply the vendor patch within your standard high-severity SLA.

Executive Summary

A new phishing campaign is targeting Israeli users via SMS, impersonating the Hacarmel Toll Road.

The message claims the recipient has an outstanding toll payment and pressures them to act immediately by either paying via the provided link or contacting the support number.

Indicators of Compromise (IOCs)

* Malicious domain: hxxps://הכרמל-m-r[.]pw/il

* Phone number: +972 52-2836XXX

* Use of urgency and financial pressure

* Generic messaging without personalized details

Attack Flow

Victim receives an SMS claiming an unpaid toll fee.

The message creates urgency, stating that failure to act may result in penalties.

The user is directed to a malicious payment page designed to harvest:

* Credit card details

* Personal information

Alternatively, victims may call a fraudulent number and be socially engineered.

Key Risks

* Financial theft via stolen payment details

* Identity theft through personal data collection

* Follow-up attacks using harvested information

Why This Works

* SMS messages bypass many traditional email security controls

* The use of a trusted brand (Hacarmel) increases credibility

* Shortened / unfamiliar domains reduce user suspicion

* High-pressure language pushes users to act without verification

Recommendations

For Users

* Do not click on suspicious links in SMS messages

* Verify payments only via official websites or apps

* Avoid calling numbers provided in unsolicited messages

For Organizations

* Implement SMS phishing awareness training

* Monitor for brand impersonation campaigns

* Consider mobile threat defense (MTD) solutions

AI Security Advisor

Get AI-powered security recommendations tailored to this specific threat — including risk assessment, detection guidance, MITRE ATT&CK mapping, and actionable remediation steps.

Sources

Related Threat Alerts

Frequently Asked Questions

What is "Phishing SMS Impersonating Hacarmel Toll Road Targets Israeli Users"?

This is a high-severity threat update from an upstream security source. It covers the affected product family and was flagged for security teams to evaluate.

Am I affected?

Affected technology is listed in the Affected Products section above. If your asset inventory contains any of them, assume in-scope until you can prove otherwise.

How urgent is the response?

High: address inside your standard high-severity SLA (typically 7 days for internet-exposed assets, 30 days for internal). Skip ahead in the queue if the host is internet-facing.

How do I remediate?

Apply the vendor patch listed in the upstream advisory linked under Sources. If the patch is not yet available, follow the vendor-supplied workaround (often a config flag or feature disable) and add detections for the published exploit pattern in your SIEM. Re-scan after the patch lands to confirm the finding clears.

How does Vulnios help with this?

Vulnios continuously cross-references your asset inventory against the live CVE feed (NVD, vendor advisories, CISA KEV, and curated OSINT). When a new CVE matches your environment, you get a prioritized finding with the severity, KEV status, exploit-prediction (EPSS), and a direct path to the vendor patch. You can start a free scan from the homepage.

phishingsmishingisraelhacarmelfraudsocial engineeringmobile securitycyber threatscampayment fraud

Protect Your Organization

Monitor CVEs, scan for vulnerabilities, and get real-time threat alerts — all in one platform.

Get Started Free Free Security Scan OSINT Dashboard

Get instant alerts on Telegram

Join our public channel for real-time critical CVE alerts.

Follow @vulnios