A new phishing scheme is targeting Canadian residents by creating counterfeit portals for traffic ticket payments, aiming to steal both personal and financial information. This campaign employs sophisticated tactics to appear credible to unsuspecting users.
Deceptive Techniques and SEO Poisoning
Cybercriminals are using SEO poisoning to alter search engine outcomes, making their fake websites appear legitimate when individuals search for provincial ticket payment websites. These fraudulent sites impersonate official Canadian government portals from provinces like British Columbia, Ontario, and Quebec, leading users to input sensitive data under false pretenses.
The fraudulent activity often starts with individuals receiving text messages or encountering misleading advertisements about unpaid traffic fines. These communications contain links that redirect victims to bogus payment portals designed to mimic government websites, complete with official logos and design elements to foster trust.
Research Findings and Attack Mechanisms
Experts from Unit 42 have identified this scheme as part of a larger fraud operation spanning multiple domain names. The attackers use an advanced phishing kit featuring a fake “waiting room” to simulate the processing of genuine ticket information, thereby enhancing the scam’s credibility.
Over seventy domains linked to a single IP address have been identified, all aimed at collecting personal and payment card data from victims. The phishing infrastructure is strategically deployed across specific subnet ranges, notably the 45.156.87.0/24 network block. The domains are systematically generated using keywords like “ticket,” “traffic,” and “violation.”
Data Collection and Security Advice
The phishing process involves multiple stages, beginning with a validation phase where users enter ticket numbers, which are accepted regardless of accuracy. Subsequently, victims are led to a payment section where comprehensive personal and financial details are requested, including credit card information.
Unlike legitimate services that redirect to secure banking sites, these fraudulent portals directly capture all entered data, granting attackers immediate access to conduct unauthorized transactions. Users are advised to verify ticket legitimacy by directly accessing official government websites and enabling transaction alerts on their credit cards.
To enhance security, individuals and organizations should employ DNS filtering to block known malicious domains. Regularly monitoring credit card statements for unauthorized transactions is also recommended.
