Canadian Authorities Warn of Sophisticated Phishing Wave Impersonating Traffic Fines, CRA, Canada Post, and Air Canada

CyberDefender 11 mins0

As Canadian citizens increasingly depend on digital platforms for transportation services, taxation, parcel delivery, and travel, threat actors are actively exploiting this reliance through high-fidelity impersonation campaigns. These operations mimic trusted government bodies and national brands to harvest personal and financial data at scale.

CloudSEK identified multiple interconnected fraud clusters leveraging narratives related to:

  • Traffic ticket enforcement and fine payments
  • Tax refunds
  • Airline booking and modification portals
  • Postal delivery and redelivery alerts

A significant portion of this activity aligns with the PayTool phishing ecosystem, a well-established fraud framework specializing in traffic violation and fine payment scams that primarily target Canadians through SMS-based social engineering (smishing).

Parallel infrastructure was also observed impersonating Canada Revenue Agency, Air Canada, and Canada Post, indicating a broader and more coordinated fraud operation that reuses common design patterns and backend logic.

Additionally, the investigation uncovered active commercialization of these campaigns on underground forums, where threat actors sell specialized phishing kits designed to mimic official Canadian government services and banking portals.

Modus Operandi

Initial Lure Techniques

Victims are primarily targeted through:

  • SMS messages (smishing)
  • Malicious advertisements
  • SEO poisoning and typosquatted domains

The messages use high-pressure psychological tactics, alleging:

  • Unpaid traffic fines
  • Failed parcel deliveries
  • Airline booking or payment errors

These messages impersonate authoritative and trusted entities such as PayBC, CRA, Canada Post, and Air Canada. To increase perceived legitimacy, attackers frequently use:

  • URL shorteners
  • Typosquatted or keyword-rich domains

Fake Validation Phase

Upon clicking the link, victims are not immediately asked for sensitive data. Instead, they are directed to a “fake validation” stage, which requests inputs such as:

  • Ticket numbers
  • Booking references
  • Account or license identifiers

These fields accept virtually any value and perform no real verification. Their sole purpose is to:

  • Create an illusion of legitimacy
  • Mimic official procedural workflows
  • Psychologically prime victims to trust the process

Fraudulent Payment Gateway

After the validation step, the site transitions to a fraudulent payment page. These gateways are visually indistinguishable from legitimate payment processors but are engineered to harvest:

  • Personally Identifiable Information (PII)
  • Credit card numbers and CVV codes
  • Banking and Interac e-Transfer credentials

Analysis of Observed Infrastructure and Campaigns

Traffic Ticket & Fine Payment Impersonation

The dominant theme across multiple clusters is the impersonation of Canadian traffic enforcement and fine payment services. This activity strongly aligns with the known PayTool ecosystem, which traditionally targets:

  • Provincial traffic fines
  • Parking violations
  • Toll and roadway payments

However, this campaign expands beyond provincial portals by introducing a federal-style “Traffic Ticket Search Portal” that aggregates multiple provinces under a single interface.

Federal-Style Portal Simulation

Unlike basic phishing pages, this infrastructure simulates a centralized “Government of Canada” portal, where users can select their province (Alberta, British Columbia, Ontario, Quebec, Manitoba, Saskatchewan, etc.) to search for outstanding violations.

This mirrors legitimate Canadian federal service design patterns and significantly strengthens the illusion of authenticity.

Key findings include:

  • 70+ domains resolving to 198[.]23[.]156[.]130
  • Direct impersonation of canada.ca
  • Use of provincial logos and a
    “Traffic Ticket Search Portal – Government of Canada” banner

Operational Advantages for Threat Actors

This design serves three primary purposes:

  1. Trust Centralization
    A federal-level interface reduces suspicion and conditions users to trust the platform.
  2. Scalability Across Provinces
    A single template supports rapid deployment of province-specific scams.
  3. Consistency with PayTool Patterns
    The workflow closely mirrors legitimate portals such as PayBC and ServiceOntario.

Domain Pattern Observations

Domains associated with this cluster follow highly systematic naming conventions, centered around keywords such as:

  • ticket
  • traffic
  • portal
  • search
  • violation
  • infraction
  • offence
  • citation

These patterns strongly suggest automated bulk domain generation rather than organic registration.

PayTool Infrastructure Alignment

This campaign represents a direct conceptual evolution of the PayTool ecosystem.

Key Infrastructure Blocks

  • Payment phishing kits: Hosted primarily on 45.156.87.0/24
  • High-density central node: 45.156.87.145

Key IP Relationships

  • 45[.]156[.]87[.]145
  • 45[.]156[.]87[.]131
  • 45[.]156[.]87[.]143
  • 45[.]156[.]87[.]213

Passive DNS analysis shows this infrastructure simultaneously supports phishing domains for multiple provinces, allowing attackers to scale campaigns efficiently.

Provincial Targeting Examples

British Columbia (PayBC)

  • paytool-bc-2025[.]com
  • bc-infraction[.]com
  • paybc-portal[.]live

Ontario (ServiceOntario)

  • ontarioticketpay[.]live
  • ontario-paytool-2025[.]com
  • serviceon-ticket[.]live

Quebec / Montreal

  • ville-montreal-pay[.]com
  • amende-enligne-qc[.]com
  • a25pont-laval[.]com

Generic Fallback Domains

Relation data from 162[.]243[.]100[.]252 and the 45.156.87.x subnet reveals a long tail of generic infraction domains, including:

  • parking-portal[.]live
  • overdueticketinfraction[.]info

These domains act as fallback infrastructure, allowing attackers to rapidly rotate traffic when province-specific domains are flagged or blacklisted.

Canada Post Parcel & Redelivery Phishing

A subset of domains impersonating Canada Post was identified. Although inactive at the time of investigation, passive DNS and reputation signals indicate a parcel delivery scam campaign.

Common Keywords

  • redeliver
  • handling
  • parcel
  • canpost / capost

These domains cluster around the same hosting providers used in PayTool campaigns, reinforcing the pattern of brand trust exploitation using disposable domains.

Air Canada Impersonation & Typosquatting

A distinct campaign branch targets Air Canada using:

  • SEO poisoning
  • Typosquatted domains

Observed Domain Patterns

  • aircanda-booking[.]com (character omission)
  • air-canaada-booking[.]com (character duplication)
  • airscanada-booking[.]com (character substitution)

FOFA analysis revealed:

  • Identical favicon hashes matching the official Air Canada website
  • Replicated page titles
  • Deliberate cloning of legitimate branding assets

Why Airlines Are Targeted

  • Users expect to enter payment details
  • Fees and modifications provide a natural pretext
  • Travel deadlines reduce skepticism

Underground Forum Activity & PhaaS Model

Intelligence from dark web forums confirms the operation follows a Phishing-as-a-Service (PhaaS) model.

A threat actor using the alias “theghostorder01” is actively selling phishing kits that impersonate:

  • Ontario Driver’s License renewal
  • Banks
  • Cryptocurrency platforms
  • Government services
  • E-commerce brands

Key Observations

  • Advertised harvesting of PII, Interac credentials, and card data
  • Sales and support via Telegram
  • Inability to demonstrate backend infrastructure
  • Vague explanations of data exfiltration

Despite this, barriers to entry are now low due to:

  • GenAI-assisted backend scripting
  • API-based exfiltration to bots and messaging platforms

Threat Actor Profile

  • Active since: 2024
  • Status: ACTIVE
  • Reputation: 0
  • Rating: Medium
  • Payment Methods: USDT (TRC-20), Bitcoin

Crypto Assets (USDT):
TWNCawkk3NbPZsY6mdnog8Sn7rS2vue95d

Crypto Assets (Bitcoin):
bc1qvhxkqujf347apsgy65ffykste0jy6txhgejhm048ukrys7cm6d3q2v4ze7

Impact & Risk Assessment

  • Mass Data Compromise: PII, credit cards, Interac credentials
  • Erosion of Public Trust: Abuse of CRA, Canada Post, Air Canada, PayBC, ServiceOntario
  • Sector Diversification: Government, postal, airline fraud
  • Reputational & Regulatory Risk: For impersonated organizations

Mitigation Recommendations

  • Proactive domain monitoring for typosquatting and keyword-based registrations
  • Block newly registered domains and suspicious TLDs (.live, .info)
  • Enforce DNS and web gateway controls against known PayTool IP ranges
  • Public awareness campaigns emphasizing that payments are not requested via SMS
  • Threat-intel-driven detection using favicon hashes and page title reuse
  • Encourage access only through official bookmarked portals

Conclusion

This investigation highlights a significant evolution in phishing campaigns targeting Canadians. Threat actors are moving beyond generic scams and deploying highly localized, context-aware impersonation campaigns across government and commercial sectors.

The presence of phishing kit vendors on underground forums confirms this activity is fully commoditized, ensuring sustained campaign longevity.

As these attacks rely on urgency and institutional trust, continuous vigilance, infrastructure monitoring, and user education remain critical.

Indicators of Compromise (IoCs)

IP Addresses

45[.]156[.]87[.]145
45[.]156[.]87[.]131
45[.]156[.]87[.]143
45[.]156[.]87[.]213
198[.]23[.]156[.]130
162[.]243[.]100[.]252
192[.]109[.]138[.]183
209[.]141[.]50[.]110
3[.]99[.]171[.]190
15[.]223[.]72[.]181
35[.]183[.]85[.]238
3[.]97[.]15[.]116
35[.]183[.]132[.]238
35[.]182[.]194[.]55
3[.]96[.]139[.]96
15[.]156[.]206[.]92
3[.]97[.]9[.]55
99[.]79[.]60[.]130

CyberDefender