New Travel Scam Variant Targets Tourists Traveling to Canada
Abnormal Security recently identified a scam aimed at the Canadian electronic travel authorization (eTA) program, which bears a striking resemblance to a long-standing fraud scheme described in our post from several weeks ago targeting TSA travel program applicants.
Discovering the Canadian Visa Phishing Attempt
On December 1, 2021, Abnormal intercepted the above email sent to a VIP recipient, reminding them that their Canada visa application had not been submitted and remained incomplete. Although both the sending domain and the one listed in the signature block have the appearance of quasi-legitimacy, the website canada-visa-online[.]org uses the theme "eTA Canada Electronic Travel Authorization" while the real version of the page says "Government of Canada." The sending email address info[@]official-canada-visa.org is the same as the contact email listed on the bottom of the imitation website at canada-visa-online[.]org.
The Canadian eTA approval system is an entry requirement for visa-exempt United States citizens and other foreign travelers entering by air, although various exemptions exist for mode of entry and country of origin. The application process can be completed online and electronically links the record to the traveler's passport. Applying costs $7 CAD (about $5.50 USD) to file and typically takes several days to be approved, although Immigration, Refugees, and Citizenship (IRCC) Canada advises travelers to apply before purchasing a plane ticket. All of this can be done at official Canadian government websites using a ".ca" top-level domain, similar to ".gov" in the United States.
Although the scam website appears to offer sufficiently detailed information about the travel requirement program, some of the instructions stick out as odd, like the references to paying the filing fee via PayPal. If you remember, this was the preferred payment method for the other travel fraudsters we covered.
Additionally, the fraudulent website is harder to read and understand than Canada's legitimate site, undoubtedly by design. Another identical version of this scam page exists at canada-visa-gov.org, although nothing appears to be hosted at the official-canada-visa.org domain used to send the email.
This fraudulent website makes no distinction between itself and the legitimate Canadian authorities and offers its service for a whopping $99 application fee. After the travel applicant completes the detailed application specifying their place of birth, passport number, date of birth, and address, the scam service displays an order summary of the information entered with payment available via PayPal or credit card, which is processed by PayPal. This time, the merchant name is not displayed in the payment box, and the hopeful travel applicant has no insight into where their money has been sent.
The Fraudsters Behind the Canadian Visa Scam
The domains used for this scam are hosted at the IP address 67[.]227[.]191[.]40, which also hosts an interesting mix of websites using similar international travel themes. Some appear to have been active since 2019.
Domains we’ve linked to this group include the following:
No additional information is available on what the actors actually do with the sensitive personally identifiable information (PII) they collect. Still, we can hypothesize that it is likely not being used to apply for Canadian travel authorization.
Unfortunately, those that use this website to apply will likely never know that their money and information have been stolen—at least until they realize they never received their visa or worse, are denied entry into Canada upon arrival.
See the Abnormal Solution to the Email Security Problem
Protect your organization from the full spectrum of email attacks with Abnormal.