chat
expand_more

New Travel Scam Variant Targets Tourists Traveling to Canada

Abnormal Security recently identified a scam aimed at the Canadian electronic travel authorization (eTA) program, which bears a striking resemblance to a long-standing fraud scheme described in our post from several weeks ago targeting TSA travel program applicants.
December 14, 2021

Abnormal Security recently identified a scam aimed at the Canadian electronic travel authorization (eTA) program, which bears a striking resemblance to a long-standing fraud scheme described in our post from several weeks ago targeting TSA travel program applicants.

Canadian visa application phishing attempt email

Canadian Visa program-themed phishing email.

Discovering the Canadian Visa Phishing Attempt

On December 1, 2021, Abnormal intercepted the above email sent to a VIP recipient, reminding them that their Canada visa application had not been submitted and remained incomplete. Although both the sending domain and the one listed in the signature block have the appearance of quasi-legitimacy, the website canada-visa-online[.]org uses the theme "eTA Canada Electronic Travel Authorization" while the real version of the page says "Government of Canada." The sending email address info[@]official-canada-visa.org is the same as the contact email listed on the bottom of the imitation website at canada-visa-online[.]org.

Fake Canadian visa phishing site

Landing page for canada-visa-online.org.

The Canadian eTA approval system is an entry requirement for visa-exempt United States citizens and other foreign travelers entering by air, although various exemptions exist for mode of entry and country of origin. The application process can be completed online and electronically links the record to the traveler's passport. Applying costs $7 CAD (about $5.50 USD) to file and typically takes several days to be approved, although Immigration, Refugees, and Citizenship (IRCC) Canada advises travelers to apply before purchasing a plane ticket. All of this can be done at official Canadian government websites using a ".ca" top-level domain, similar to ".gov" in the United States.

Although the scam website appears to offer sufficiently detailed information about the travel requirement program, some of the instructions stick out as odd, like the references to paying the filing fee via PayPal. If you remember, this was the preferred payment method for the other travel fraudsters we covered.

Canadian visa payment method

Payment methods listed on canada-visa-online.org.

Additionally, the fraudulent website is harder to read and understand than Canada's legitimate site, undoubtedly by design. Another identical version of this scam page exists at canada-visa-gov.org, although nothing appears to be hosted at the official-canada-visa.org domain used to send the email.

Canadian visa phishing paypal order summary

Order summary page with PayPal payment.

This fraudulent website makes no distinction between itself and the legitimate Canadian authorities and offers its service for a whopping $99 application fee. After the travel applicant completes the detailed application specifying their place of birth, passport number, date of birth, and address, the scam service displays an order summary of the information entered with payment available via PayPal or credit card, which is processed by PayPal. This time, the merchant name is not displayed in the payment box, and the hopeful travel applicant has no insight into where their money has been sent.

Block Credential Phishing Emails

The Fraudsters Behind the Canadian Visa Scam

The domains used for this scam are hosted at the IP address 67[.]227[.]191[.]40, which also hosts an interesting mix of websites using similar international travel themes. Some appear to have been active since 2019.

Domains we’ve linked to this group include the following:

  • canada-visa-gov[.]org
  • canada-visa-online[.]org
  • elevendimension-funds[.]com
  • host.indiaonlinevisa[.]in
  • i-visa[.]org
  • india-e-visa[.]in
  • india-knowlege[.]in
  • india-visa-online[.]com
  • india-visa-online[.]org
  • indiaonlinevisa[.]in
  • ivisango[.]com
  • new-zealand-visa.co[.]nz
  • new-zealand-visa[.]org
  • official-india-visa[.]com
  • official-turkey-visa[.]org
  • us-visa-esta[.]org
  • www.canada-visa-online[.]org
  • www.india-e-visa[.]in
  • www.india-knowlege[.]in
  • www.india-visa-online[.]com
  • www.us-visa-esta[.]org

No additional information is available on what the actors actually do with the sensitive personally identifiable information (PII) they collect. Still, we can hypothesize that it is likely not being used to apply for Canadian travel authorization.

Unfortunately, those that use this website to apply will likely never know that their money and information have been stolen—at least until they realize they never received their visa or worse, are denied entry into Canada upon arrival.

New Travel Scam Variant Targets Tourists Traveling to Canada

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B AI Vendor
Learn how to evaluate transparency, risks, scalability, and ethical considerations to make informed cybersecurity decisions.
Read More
B SOC Prod
Learn how AI-driven automation boosts SOC productivity by reducing false positives, addressing skills gaps, and enhancing threat detection. Discover strategies to future-proof your SOC and strengthen cybersecurity defenses.
Read More
B Proofpoint Customer Story F500 Insurance Provider
A Fortune 500 insurance provider blocked 6,454 missed attacks and saved 341 SOC hours per month by adding Abnormal to address gaps left by Proofpoint.
Read More
B Malicious AI Platforms Blog
What happened to WormGPT? Discover how AI tools like WormGPT changed cybercrime, why they vanished, and what cybercriminals are using now.
Read More
B MKT748 Open Graph Images for Cyber Savvy 7
Explore insights from Brian Markham, CISO at EAB, as he discusses cybersecurity challenges, building trust in education, adapting to AI threats, and his goals for the future. Learn how he and his team are working to make education smarter while prioritizing data security.
Read More
B Manufacturing Industry Attack Trends Blog
New data shows a surge in advanced email attacks on manufacturing organizations. Explore our research on this alarming trend.
Read More