Canadian citizens are facing a coordinated phishing campaign that leverages government impersonation and brand spoofing to harvest personal and financial data at scale.
The campaign is heavily aligned with PayTool, a known phishing-as-a-service ecosystem specializing in traffic violation scams targeting Canadians via SMS.
Beyond traffic fines, threat actors are impersonating Canada Revenue Agency (CRA), Air Canada, and Canada Post, signaling a broader, coordinated operation reusing common design templates and infrastructure.
Victims receive SMS messages and malicious advertisements using high-pressure tactics unpaid fines, failed deliveries, or booking errors. URLs leverage shorteners and typosquatted domains to appear legitimate.
Upon clicking, users enter a “fake validation” phase, requesting ticket numbers or booking references that accept any input value and perform no actual verification.
Security researchers at CloudSEK identified multiple fraud clusters exploiting traffic enforcement, tax refunds, airline bookings, and parcel delivery services all sectors where Canadians routinely exchange sensitive information online.
This trust-building step precedes a fraudulent payment gateway designed to harvest personally identifiable information (PII), banking credentials, and payment data.
The sophistication lies not in complexity but in psychological manipulation victims believe they are interacting with official services.
Infrastructure Analysis
Over 70 websites resolved to IP address 198.23.156.130, impersonating canada.ca as a “Traffic Ticket Search Portal – Government of Canada.”
This federal-level framing reduces victim suspicion while allowing rapid scalability across provinces. Domain patterns show systematic naming conventions (ticket, traffic, portal, search, violation, infraction) indicating bulk automation rather than organic creation.
| Province | Observed Domains |
|---|---|
| British Columbia | paytool-bc-2025[.]com, bc-infraction[.]com |
| Ontario | ontarioticketpay[.]live, ontario-paytool-2025[.]com |
| Quebec | ville-montreal-pay[.]com, amende-enligne-qc[.]com |
The 45.156.87.0/24 subnet hosts payment phishing infrastructure, with key nodes at 45.156.87.145, 45.156.87.131, and 45.156.87.143.
When specific provincial domains are blacklisted, threat actors rotate traffic to generic fallback domains (parking-portal[.]live, overdueticketinfraction[.]info) to maintain campaign continuity.
Air Canada impersonation exploits typosquatting and SEO poisoning through character omission (aircanda-booking[.]com), duplication, and substitution.
These sites replicate favicon hashes and page titles from legitimate Air Canada infrastructure, intercepting users who mistype domains or click malicious ads.
Mitigations
Threat actor ‘theghostorder01’ actively sells phishing kits on dark web forums, advertising capability to harvest names, addresses, banking credentials, and Interac e-Transfer logins.
During the interaction, the seller was unable to demonstrate any server-side data handling or hosted infrastructure.
The actor facilitates sales via Telegram channels, accepting USDT (TRC-20) and Bitcoin payments.
When questioned about data capture infrastructure, the seller provided vague responses about email delivery.
This suggests minimal technical sophistication on the seller’s side, with buyers leveraging generative AI tools to script backend logic and real-time data exfiltration via APIs a capability requiring minimal technical skill.
Organizations must enforce proactive domain monitoring for keyword-based typosquatting and initiate rapid takedowns.
DNS and web gateways should block suspicious TLDs (.live, .info) and known PayTool IP ranges. Public awareness campaigns should emphasize that government agencies and airlines do not request sensitive data via SMS links.
Users should access services only through official bookmarked portals rather than links in messages or advertisements.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.