TSA PreCheck Scam Dupes Travelers into Paying Excess Fees

November 18, 2021

In March 2021, the Better Business Bureau (BBB) issued a scam alert describing misleading websites that claimed to offer victims TSA PreCheck, Global Entry, or NEXUS application services but instead charged the consumer $140. This was followed up in July by a consumer alert from the New Hampshire Attorney General’s Office. Additional reporting from later that month indicated at least one of these scam websites was a paid Google ad appearing in the top search result for “TSA Pre-Check.”

TSA Phishing Email Leads to Renewal Application

On November 9, 2021, we identified an unusual phishing email that claimed to be from “Immigration Visa and Travel,” inviting the recipient to renew their membership in the TSA PreCheck program. While the email wasn’t sent from a .gov domain, the average consumer might not immediately reject it as a scam, particularly because it had the term “immigrationvisaforms” in the domain. The email instructed the user to renew their membership at a quasi-legitimate-looking website.

Tsa precheck scam email

The email provides instructions on how to renew the TSA application, and the website URL appears to be a TSA PreCheck Application Service. A disclaimer at the top clarifies that this website has nothing to do with the Department of Homeland Security (DHS) or the TSA, and it is displayed in white text over a busy photo of an airport security line. The application is featured at the top of the page, with the pesky information clarifying the $139.99 additional fee for their “services” listed well below. And if the applicant scrolled to the very bottom of the page, they would read the following disclaimer:

“We are not the United States government or associated with it. There are no guarantees you will be granted a known traveler number by the government. We try to make sure everything is submitted correctly to eliminate rejections from submission errors.”
Tsa scam email application

Continuing to use the “application,” an applicant flips through several screens, entering contact and personal information, including all previous names, place of birth, passport number, criminal history, and all addresses from the past five years. The user is then allowed to select their first and second choice cities for a security interview, providing general windows of time when interviews are and are not available.

When certifying that the application is correct, the instructions indicate processing the application may take several weeks, providing the expectation that the user would be contacted to finalize their interview schedule. The instructions also clarify that two fees are necessary to submit an application, one to PayPal upon submission of the application and another $85 fee—the actual cost for a PreCheck membership—to be paid at the interview.

Tsa scam certification payment screen

After agreeing to the terms and conditions, an applicant selects if the application is for initial approval or renewal.

Tsa scam terms and conditions screen

Finally, a user is led to the final payment screen where they are instructed to make a $139.99 payment to APPLICATION CONSULTING OOD for “Low Risk Traveler Service item #: APS-TSA” through PayPal. Because when purchasing federal services there is usually only one option, and you must use PayPal, right?

Tsa scam paypal payment page

Sadly, this was where our experiment ended, and we were informed our payment had been unsuccessful. We were assured that our application would be processed once the payment was received, and we would get an email once it had been submitted to the United States government.

The refund policy page for the website explicitly discourages filing a dispute or issuing a chargeback, promising that it would only add a two-week delay to any possible refund.

Tsa scam fake refund policy page

The contact information provided on the refund page uses info@airportprescreening.com and an address also associated with an accounting firm named Doherty & Associates, located in Wilmington, Delaware, whose website appears inactive and currently redirects to another site. The bad actors may be using another random address, or the accounting firm itself may have been the victim of a breach. It's interesting to note that similar email addresses were present on other travel program websites created by this fraud group, which uses the pattern info@[domain.com] when providing a contact email on their websites.

Behind the TSA Scam: IVT Services, Inc.

The domain from which the original TSA PreCheck renewal email was sent appears to be like any generic copy of a customer service WordPress website. In this case, IVT is attempting to appear as the controlling business for this venture. Our original phishing email was signed by Dolores Green, “IVT Applications Manager.” The copyright at the bottom of the immigrationvisaforms.com website provides the company name IVT Services Inc and registered address 5301 Limestone Rd, Wilmington, DE 19808—a multistory business park building.

Add the subdomain “usa.”, and you will see somewhat familiar-looking copywriting and formatting for a website, this time claiming to assist with applications for the NEXUS travel program between the United States and Canada. This group uses this subdomain tactic more than once.

Nexus card renewal scam website

A quick Google search located another website using the exact same disclaimer: "We are not the United States government or associated with it." WHOIS records indicate that the domain was registered with the email address fastvisasassessoria@gmail.com.

Tsa scam webpage google search result

The email address fastvisasassessoria@gmail.com was located in WHOIS information and passive DNS records for nine domains.

The websites themselves were registered between August 2020 and October 2021 and feature a very similar structure, targeting Global Entry, NEXUS, SENTRI, and FAST travel program applicants.

Interestingly, the first domains registered using fastvisasassessoria@gmail.com used the top-level domain “.com.br”. In November 2017, the small travel business Immi Solutions was registered in Brazil by Renato Teodoro Gabeta using the same email address. The listing also provided the WhatsApp phone number (19) 99280-8240 as the contact for the business, as well as an address located in a Sao Paulo high-rise condominium.

Performing a reverse IP address lookup for 69.16.204.17, associated with one of our original domains, links 153 travel program domains and subdomains. Between the email address and the IP address, 30 domains were identified in total.

Domains we’ve linked to this group include the following:

  • airportprescreen[.]com
  • airportprescreening[.]com
  • application-consulting[.]com
  • applyforglobalentry[.]com
  • applyfornexuscard[.]com
  • applyglobalonline[.]com
  • applyglobaltraveler[.]com
  • assist-gov[.]com
  • bordercrossingcanada[.]com
  • canada-online-visa[.]com
  • easyglobalapplication[.]com
  • easynexusapplication[.]com
  • easyprecheckapplication[.]com
  • easysentriapplication[.]com
  • eta-canada-online[.]com[.]br
  • expedited-immigration[.]com
  • fastpassapplication[.]com
  • fastvisas[.]com[.]br
  • globaltravelerapplication[.]com
  • globaltravelerforms[.]com
  • globalvisascenter[.]com[.]br
  • immi-solution[.]com
  • immigrationvisaforms[.]com
  • ivtservicesinc[.]com
  • lowrisktraveler[.]com
  • securityprescreen[.]com
  • sentricardonline[.]com
  • sentripassapplication[.]com
  • travelauthorizationusa[.]com
  • usab1b2visas[.]com

Also Behind the TSA Scam: Application Consulting

Application Consulting OOD is a Bulgarian IT service business that offers data processing and hosting and was allegedly created in 2017. The only two executives listed for the company are Dimitar Atanasov Atanasov and Elizabet Gomersal. While we're unsure how Application Consulting is connected to ITV Services, it's clear that they are both involved in this TSA PreCheck scam.

TSA scam Bulgarian IT business Application consulting logo

On October 22, 2021, Application Consulting OOD posted on several Bulgaria job search websites that they were looking for a fully remote IT administrator. The post describes the company as a small operation of about 25 people. Starting salary is 1000 Bulgarian Lev (about $580 USD) for the three-month trial period, and then doubles to their normal salary of 2000 Bulgarian Lev, which is about $1160 USD. The address listed for the business specifies that they are located on the 4th floor, in apartment 7 in Varna, Bulgaria.

From the description, it appears their primary business needs are the creation and management of websites using WordPress, which integrates with PayPal. Something about that seems very familiar…

Application consulting IT administrator job description

TSA PSA

This is not the first time this scam has appeared, and it's not likely to be the last. Travelers can always apply for TSA PreCheck via the official website tsa.gov/precheck or the DHS website universalenroll.dhs.gov. Note that “First time applicants for the TSA PreCheck program are not asked to provide payment information online,” according to the TSA website. During their initial application, they “cannot pay the enrollment or application fee online,” and must complete their application and “pay in-person” to finish the application process. The TSA website provides advice on what to do if you believe you have been victimized by this scam.

For information on actual costs and details of all United States Trusted Traveler Programs, the official DHS website provides links to apply directly. The site contains links to contact TSA Support for assistance with PreCheck, and Customs & Border Protection (CBP) Support for Global Entry, NEXUS, SENTRI, and FAST programs.

While this scam mostly targets consumers, organizations that pay for or reimburse employees for TSA PreCheck and related services should be wary of these emails reaching employee inboxes. As business travel resumes around the world, organizations should provide this information to employees as an added precaution, before these Bulgarian cybercriminals can take advantage.

Image

Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

0
Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 10 3 22 Cobalt Terrapin Blog
Threat group Cobalt Terrapin uses sophisticated impersonation techniques with multiple steps to commit invoice fraud.
Read More
B 09 29 22 CISO Cybersecurity Awareness Month
October is here, which means Cybersecurity Awareness Month is officially in full swing! These five tips can help security leaders take full advantage of the month.
Read More
B Email Security Challenges Blog 09 26 22
Understanding common email security challenges caused by your legacy technology will help you determine the best solution to improve your security posture.
Read More
B 5 Crucial Tips
Retailers are a popular target for threat actors due to their wealth of customer data and availability of funds. Here are 5 cybersecurity tips to help retailers reduce their risk of attack.
Read More
B 3 Essential Elements
Legacy approaches to managing unwanted mail are neither practical nor scalable. Learn the 3 essential elements of modern, effective graymail management.
Read More
B Back to School
Discover how threat group Chiffon Herring leverages impersonation and spoofed email addresses to divert paychecks to mule accounts.
Read More
B 09 06 22 Rearchitecting a System Blog
We recently shared a look at how the Abnormal engineering team overhauled our Unwanted Mail service architecture to accommodate our rapid growth. Today, we’re diving into how the team migrated traffic to the new architecture—with zero downtime.
Read More
B Industry Leading CIS Os
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 12 innovative and influential thought leaders on social media.
Read More
B Podcast Engineering 11 08 24 22
In episode 11 of Abnormal Engineering Stories, David Hagar, Director of Engineering and Abnormal Head of UK Engineering, continues his conversation with Zehan Wang, co-founder of Magic Pony.
Read More