A sophisticated phishing campaign targeting Canadian citizens has emerged, using fake traffic ticket payment portals to steal personal and financial information.
The attackers employ SEO poisoning techniques to manipulate search engine results, ensuring their fraudulent websites appear legitimate when users search for provincial traffic ticket payment options.
These malicious portals convincingly impersonate official government websites from Canadian provinces, including British Columbia, Ontario, and Quebec, tricking victims into entering sensitive data.
The scam begins when individuals receive text messages or encounter malicious advertisements claiming they have unpaid traffic fines.
These messages contain shortened URLs or typosquatted domains that redirect victims to counterfeit payment portals.
The fake websites mimic the appearance of legitimate government platforms, complete with provincial logos and official-looking designs that build trust and credibility.
Unit 42 researchers identified this campaign as part of an extensive fraud network operating across multiple domains.
The attackers utilize a specialized phishing kit that includes a deceptive “waiting room” feature, creating the illusion of processing legitimate ticket searches.
Over seventy malicious domains were discovered resolving to a single IP address, all designed to harvest personally identifiable information and payment card details from unsuspecting victims.
Phishing Kit Infrastructure and Attack Mechanics
The attackers deploy a multi-stage phishing infrastructure hosted on specific subnet ranges, particularly the 45.156.87.0/24 network block.
This operation involves creating numerous domains following naming patterns that include terms like “ticket,” “traffic,” “portal,” and “violation,” suggesting automated domain generation capabilities.
The phishing kit first presents victims with a validation phase where they enter ticket numbers or booking identifiers that accept any input, establishing false legitimacy before transitioning to fraudulent payment gateways.
Once victims proceed to the payment section, the fake portal collects comprehensive personal details including full names, addresses, email addresses, phone numbers, and birthdates.
The final stage requests complete credit card information, including card numbers, expiration dates, and CVV security codes.
Unlike legitimate payment processors that redirect to secure banking gateways, these fraudulent sites directly capture all information, allowing attackers immediate access to financial credentials for unauthorized transactions.
Users should verify traffic ticket legitimacy through official government websites by typing URLs directly rather than clicking links.
Enable transaction alerts on credit cards and monitor statements regularly. Organizations should implement DNS filtering against known malicious domains.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
