Toll scams involve criminals registering fake domains that pretend to be legitimate transportation agencies to trick users into making fraudulent payments. Although these scams are rapidly increasing and causing significant harm, they have not been extensively studied. We present the first large-scale analysis of toll scam domains, using a newly created dataset of 67,907 confirmed scam domains mostly registered in 2025. Our study reveals that attackers exploit permissive registrars and less common top-level domains, with 86.9% of domains concentrated in just five non-mainstream TLDs and 72.9% registered via a single provider. We also discover specific registration patterns, including short bursts of activity that suggest automated, coordinated attacks, with over half of domains registered in the first quarter of 2025. This extreme temporal clustering reflects highly synchronized campaign launches. Additionally, we build a simple predictive model using only domain registration data to predict which scam domains are likely to be suspended -- a proxy for confirmed abuse -- achieving 80.4% accuracy, and 92.3% sensitivity. Our analysis reveals attacker strategies for evading detection -- such as exploiting obscure TLDs, permissive registrars, and coordinated registration bursts -- which can inform more targeted interventions by registrars, hosting providers, and security platforms. However, our results suggest that registration metadata alone may be insufficient, and incorporating features from domain URLs and webpage content could further improve detection.

翻译：收费诈骗指犯罪分子注册伪装成合法交通机构的虚假域名，诱骗用户进行欺诈性支付。尽管此类诈骗迅速蔓延且危害严重，却尚未得到充分研究。我们首次对收费诈骗域名展开大规模分析，使用新构建的包含67,907个主要于2025年注册的已确认诈骗域名数据集。研究发现攻击者利用宽松注册商和非常见顶级域名，86.9%的域名集中在五个非主流TLD，72.9%通过单一服务商注册。我们还发现特定注册模式，包括暗示自动化协同攻击的短期爆发式活动——超半数域名在2025年第一季度注册，这种极端时间聚集性反映了高度同步的专项行动启动。此外，我们仅利用域名注册数据构建了简易预测模型，用于预测可能被暂停的诈骗域名（作为已确认滥用的代理指标），实现80.4%的准确率和92.3%的灵敏度。分析揭示了攻击者规避检测的策略（如利用冷门TLD、宽松注册商和协同注册爆发），可为注册商、托管服务商和安全平台提供更精准的干预依据。然而结果表明，仅靠注册元数据可能不足，结合域名URL和网页内容特征或将进一步提升检测效能。