A highly sophisticated phishing campaign that targets Canadian drivers by impersonating provincial traffic bureaus. This new wave of attacks utilizes “SEO poisoning” to trick search engines into ranking fake websites above legitimate government portals.
The campaign forces victims through a deceptive “waiting room” experience before harvesting their sensitive Personally Identifiable Information (PII) and credit card details.
The attackers have successfully manipulated search engine results to make their fraudulent sites appear trustworthy.
In late 2025, search queries such as “traffic ticket search portal government of Canada” addressed malicious domains as top results ranking as high as second place on major search engines.
These sites use URLs that mimic legitimate provincial codes, such as /on/ for Ontario or /ab/ for Alberta, to further deceive users.
When a victim clicks one of these links, they are taken to a central landing page that redirects them to a province-specific sub-page.
These pages are designed to perfectly match the branding of local agencies in Ontario, Quebec, British Columbia, Alberta, Manitoba, and Saskatchewan.
The “Waiting Room” and “Heartbeat”
Unlike simple phishing sites, this campaign employs a sophisticated technical kit designed to control the victim’s experience in real-time.
A key feature is the “waiting room” tactic. When a user lands on the site, their browser begins sending polling requests to the attacker’s server every two seconds.
This allows the attacker to hold the victim on a loading screen and manually decide their fate. Depending on the server’s response code, the user can be redirected to different pages, such as an SMS interception page for status code ‘9’ or a multi-factor authentication (MFA) page for status code ’81’.
Additionally, the sites maintain a “heartbeat” function. This script pings the attacker’s server every second to confirm that the victim is currently active on the page.
This live feedback loop ensures that the attackers know exactly when a user is ready to be manipulated, allowing for a seamless and high-pressure theft process.
The Data Theft Flow
The attack follows a ruthless, multi-stage process to extract maximum value from the victim. First, the user is asked to enter a license plate number.
All entered data is intercepted via JavaScript and asynchronously sent (POSTed) to a backend controller located at ../ipanel/inc/action.php rather than any legitimate government server.
Once engaged, the site demands extensive personal data, including the victim’s name, home address, email, phone number, and date of birth.
To create urgency, the portal then displays a fabricated “ticket amount” typically a small, believable sum like $55.00. finally, the victim is directed to a payment page where their credit card number, expiry date, and CVV are harvested.
The campaign relies on a cluster of domains registered primarily in late November 2025 through the registrar MAT BAO CORPORATION.
All identified domains are hosted on the single IP address 198.23.156.130 and consistently use the word “ticket” in their hostnames.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.