New Travel Scam Variant Targets Tourists Traveling to Canada

December 14, 2021

Abnormal Security recently identified a scam aimed at the Canadian electronic travel authorization (eTA) program, which bears a striking resemblance to a long-standing fraud scheme described in our post from several weeks ago targeting TSA travel program applicants.

Canadian visa application phishing attempt email

Canadian Visa program-themed phishing email.

Discovering the Canadian Visa Phishing Attempt

On December 1, 2021, Abnormal intercepted the above email sent to a VIP recipient, reminding them that their Canada visa application had not been submitted and remained incomplete. Although both the sending domain and the one listed in the signature block have the appearance of quasi-legitimacy, the website canada-visa-online[.]org uses the theme "eTA Canada Electronic Travel Authorization" while the real version of the page says "Government of Canada." The sending email address info[@]official-canada-visa.org is the same as the contact email listed on the bottom of the imitation website at canada-visa-online[.]org.

Fake Canadian visa phishing site

Landing page for canada-visa-online.org.

The Canadian eTA approval system is an entry requirement for visa-exempt United States citizens and other foreign travelers entering by air, although various exemptions exist for mode of entry and country of origin. The application process can be completed online and electronically links the record to the traveler's passport. Applying costs $7 CAD (about $5.50 USD) to file and typically takes several days to be approved, although Immigration, Refugees, and Citizenship (IRCC) Canada advises travelers to apply before purchasing a plane ticket. All of this can be done at official Canadian government websites using a ".ca" top-level domain, similar to ".gov" in the United States.

Canadian visa phishing payment instructions

Payment instructions from canada-visa-online.org.

Although the scam website appears to offer sufficiently detailed information about the travel requirement program, some of the instructions stick out as odd, like the references to paying the filing fee via PayPal. If you remember, this was the preferred payment method for the other travel fraudsters we covered.

Canadian visa payment method

Payment methods listed on canada-visa-online.org.

Additionally, the fraudulent website is harder to read and understand than Canada's legitimate site, undoubtedly by design. Another identical version of this scam page exists at canada-visa-gov.org, although nothing appears to be hosted at the official-canada-visa.org domain used to send the email.

Canadian visa phishing paypal order summary

Order summary page with PayPal payment.

This fraudulent website makes no distinction between itself and the legitimate Canadian authorities and offers its service for a whopping $99 application fee. After the travel applicant completes the detailed application specifying their place of birth, passport number, date of birth, and address, the scam service displays an order summary of the information entered with payment available via PayPal or credit card, which is processed by PayPal. This time, the merchant name is not displayed in the payment box, and the hopeful travel applicant has no insight into where their money has been sent.

The Fraudsters Behind the Canadian Visa Scam

The domains used for this scam are hosted at the IP address 67[.]227[.]191[.]40, which also hosts an interesting mix of websites using similar international travel themes. Some appear to have been active since 2019.

Domains we’ve linked to this group include the following:

  • canada-visa-gov[.]org
  • canada-visa-online[.]org
  • elevendimension-funds[.]com
  • host.indiaonlinevisa[.]in
  • i-visa[.]org
  • india-e-visa[.]in
  • india-knowlege[.]in
  • india-visa-online[.]com
  • india-visa-online[.]org
  • indiaonlinevisa[.]in
  • ivisango[.]com
  • new-zealand-visa.co[.]nz
  • new-zealand-visa[.]org
  • official-india-visa[.]com
  • official-turkey-visa[.]org
  • us-visa-esta[.]org
  • www.canada-visa-online[.]org
  • www.india-e-visa[.]in
  • www.india-knowlege[.]in
  • www.india-visa-online[.]com
  • www.us-visa-esta[.]org

No additional information is available on what the actors actually do with the sensitive personally identifiable information (PII) they collect. Still, we can hypothesize that it is likely not being used to apply for Canadian travel authorization.

Unfortunately, those that use this website to apply will likely never know that their money and information have been stolen—at least until they realize they never received their visa or worse, are denied entry into Canada upon arrival.

To learn more about how Abnormal stops these phishing attacks, request a demo today.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 06 21 22 Threat Intel blog
Executives are no longer the go-to impersonated party in business email compromise (BEC) attacks. Now, threat actors are opting to impersonate vendors instead.
Read More
B 06 7 22 Disentangling ML Pipelines Blog
Learn how explicitly modeling dependencies in a machine learning pipeline can vastly reduce its complexity and make it behave like a tower of Legos: easy to change, and hard to break.
Read More
B 04 07 22 SEG
As enterprises across the world struggle to stop modern email attacks, it begs the question: how are these attacks evading traditional solutions like SEGs?
Read More
Enhanced Remediation Blog Cover
The most effective way to manage spam and graymail is to leverage a cloud-native, API-based architecture to understand identity, behavior, and content patterns.
Read More
B 05 16 22 VP of Recruiting
We are thrilled to announce the addition of Mary Price, our new Vice President of Talent. Mary will support our continued investment in the next generation of talent here at Abnormal.
Read More
B 06 01 22 Stripe Phishing
In this sophisticated credential phishing attack, the threat actor created a duplicate version of Stripe’s entire website.
Read More
B Podcast Engineering9
In episode 9 of Abnormal Engineering Stories, Dan sits down with Mukund Narasimhan to discuss his perspective on productionizing machine learning.
Read More
B 05 31 22 RSA Conference
Attending RSA Conference 2022? So is Abnormal! We’d love to see you at the event.
Read More
B 05 27 22 Active Ransomware Groups
Here’s an in-depth analysis of the 62 most prominent ransomware groups and their activities since January 2020.
Read More
B 05 24 22 ESI Season 1 Recap Blog
The first season of Enterprise Software Innovators (ESI) has come to a close. While the ESI team is hard at work on season two, here’s a recap of some season one highlights.
Read More
B 05 13 22 Hiring Experience
Abnormal Security is committed to offering an exceptional experience for candidates and employees. Hear about our recruiting and onboarding firsthand from three Abnormal employees.
Read More
B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More