In March 2021, the Better Business Bureau (BBB) issued a scam alert describing misleading websites that claimed to offer victims TSA PreCheck, Global Entry, or NEXUS application services but instead charged the consumer $140. This was followed up in July by a consumer alert from the New Hampshire Attorney General’s Office. Additional reporting from later that month indicated at least one of these scam websites was a paid Google ad appearing in the top search result for “TSA Pre-Check.”
TSA Phishing Email Leads to Renewal Application
On November 9, 2021, we identified an unusual phishing email that claimed to be from “Immigration Visa and Travel,” inviting the recipient to renew their membership in the TSA PreCheck program. While the email wasn’t sent from a .gov domain, the average consumer might not immediately reject it as a scam, particularly because it had the term “immigrationvisaforms” in the domain. The email instructed the user to renew their membership at a quasi-legitimate-looking website.
The email provides instructions on how to renew the TSA application, and the website URL appears to be a TSA PreCheck Application Service. A disclaimer at the top clarifies that this website has nothing to do with the Department of Homeland Security (DHS) or the TSA, and it is displayed in white text over a busy photo of an airport security line. The application is featured at the top of the page, with the pesky information clarifying the $139.99 additional fee for their “services” listed well below. And if the applicant scrolled to the very bottom of the page, they would read the following disclaimer:
“We are not the United States government or associated with it. There are no guarantees you will be granted a known traveler number by the government. We try to make sure everything is submitted correctly to eliminate rejections from submission errors.”
Continuing to use the “application,” an applicant flips through several screens, entering contact and personal information, including all previous names, place of birth, passport number, criminal history, and all addresses from the past five years. The user is then allowed to select their first and second choice cities for a security interview, providing general windows of time when interviews are and are not available.
When certifying that the application is correct, the instructions indicate processing the application may take several weeks, providing the expectation that the user would be contacted to finalize their interview schedule. The instructions also clarify that two fees are necessary to submit an application, one to PayPal upon submission of the application and another $85 fee—the actual cost for a PreCheck membership—to be paid at the interview.
After agreeing to the terms and conditions, an applicant selects if the application is for initial approval or renewal.
Finally, a user is led to the final payment screen where they are instructed to make a $139.99 payment to APPLICATION CONSULTING OOD for “Low Risk Traveler Service item #: APS-TSA” through PayPal. Because when purchasing federal services there is usually only one option, and you must use PayPal, right?
Sadly, this was where our experiment ended, and we were informed our payment had been unsuccessful. We were assured that our application would be processed once the payment was received, and we would get an email once it had been submitted to the United States government.
The refund policy page for the website explicitly discourages filing a dispute or issuing a chargeback, promising that it would only add a two-week delay to any possible refund.
The contact information provided on the refund page uses email@example.com and an address also associated with an accounting firm named Doherty & Associates, located in Wilmington, Delaware, whose website appears inactive and currently redirects to another site. The bad actors may be using another random address, or the accounting firm itself may have been the victim of a breach. It's interesting to note that similar email addresses were present on other travel program websites created by this fraud group, which uses the pattern info@[domain.com] when providing a contact email on their websites.
Behind the TSA Scam: IVT Services, Inc.
The domain from which the original TSA PreCheck renewal email was sent appears to be like any generic copy of a customer service WordPress website. In this case, IVT is attempting to appear as the controlling business for this venture. Our original phishing email was signed by Dolores Green, “IVT Applications Manager.” The copyright at the bottom of the immigrationvisaforms.com website provides the company name IVT Services Inc and registered address 5301 Limestone Rd, Wilmington, DE 19808—a multistory business park building.
Add the subdomain “usa.”, and you will see somewhat familiar-looking copywriting and formatting for a website, this time claiming to assist with applications for the NEXUS travel program between the United States and Canada. This group uses this subdomain tactic more than once.
A quick Google search located another website using the exact same disclaimer: "We are not the United States government or associated with it." WHOIS records indicate that the domain was registered with the email address firstname.lastname@example.org.
The email address email@example.com was located in WHOIS information and passive DNS records for nine domains.
The websites themselves were registered between August 2020 and October 2021 and feature a very similar structure, targeting Global Entry, NEXUS, SENTRI, and FAST travel program applicants.
Interestingly, the first domains registered using firstname.lastname@example.org used the top-level domain “.com.br”. In November 2017, the small travel business Immi Solutions was registered in Brazil by Renato Teodoro Gabeta using the same email address. The listing also provided the WhatsApp phone number (19) 99280-8240 as the contact for the business, as well as an address located in a Sao Paulo high-rise condominium.
Performing a reverse IP address lookup for 126.96.36.199, associated with one of our original domains, links 153 travel program domains and subdomains. Between the email address and the IP address, 30 domains were identified in total.
Domains we’ve linked to this group include the following:
Also Behind the TSA Scam: Application Consulting
Application Consulting OOD is a Bulgarian IT service business that offers data processing and hosting and was allegedly created in 2017. The only two executives listed for the company are Dimitar Atanasov Atanasov and Elizabet Gomersal. While we're unsure how Application Consulting is connected to ITV Services, it's clear that they are both involved in this TSA PreCheck scam.
On October 22, 2021, Application Consulting OOD posted on several Bulgaria job search websites that they were looking for a fully remote IT administrator. The post describes the company as a small operation of about 25 people. Starting salary is 1000 Bulgarian Lev (about $580 USD) for the three-month trial period, and then doubles to their normal salary of 2000 Bulgarian Lev, which is about $1160 USD. The address listed for the business specifies that they are located on the 4th floor, in apartment 7 in Varna, Bulgaria.
From the description, it appears their primary business needs are the creation and management of websites using WordPress, which integrates with PayPal. Something about that seems very familiar…
This is not the first time this scam has appeared, and it's not likely to be the last. Travelers can always apply for TSA PreCheck via the official website tsa.gov/precheck or the DHS website universalenroll.dhs.gov. Note that “First time applicants for the TSA PreCheck program are not asked to provide payment information online,” according to the TSA website. During their initial application, they “cannot pay the enrollment or application fee online,” and must complete their application and “pay in-person” to finish the application process. The TSA website provides advice on what to do if you believe you have been victimized by this scam.
For information on actual costs and details of all United States Trusted Traveler Programs, the official DHS website provides links to apply directly. The site contains links to contact TSA Support for assistance with PreCheck, and Customs & Border Protection (CBP) Support for Global Entry, NEXUS, SENTRI, and FAST programs.
While this scam mostly targets consumers, organizations that pay for or reimburse employees for TSA PreCheck and related services should be wary of these emails reaching employee inboxes. As business travel resumes around the world, organizations should provide this information to employees as an added precaution, before these Bulgarian cybercriminals can take advantage.