Canadian citizens are currently facing a sophisticated phishing campaign designed to steal their personal and financial information through fraudulent traffic ticket payment portals. Attackers are employing search engine optimization (SEO) poisoning techniques to ensure these deceptive websites appear prominently in search results when individuals look for ways to pay provincial traffic fines. This tactic makes it difficult for users to distinguish between legitimate government services and malicious operations.
The scam preys on individuals who may have received text messages or seen online advertisements falsely claiming they have unpaid traffic violations. These communications often contain shortened URLs or typosquatted domain names that redirect unsuspecting victims to counterfeit payment portals. The fraudulent websites are meticulously designed to mimic official government platforms, incorporating provincial logos and official-looking layouts to build trust and a false sense of legitimacy, making them appear like official provincial traffic bureaus.
Phishing Kit Infrastructure and Attack Mechanics
Researchers from Unit 42 have identified this campaign as part of a larger fraud network that spans numerous domains. The perpetrators are utilizing a specialized phishing kit that includes a deceptive “waiting room” feature. This element creates the illusion that the system is genuinely processing a traffic ticket search, further enhancing the scam’s credibility before it harvests sensitive data. Over seventy malicious domains have been found to resolve to a single IP address, all engineered to capture personally identifiable information (PII) and credit card details from victims.
The attackers have established a multi-stage phishing infrastructure, with many of the malicious domains hosted on specific subnet ranges, notably the 45.156.87.0/24 network block. The naming conventions of these domains frequently include terms such as “ticket,” “traffic,” “portal,” and “violation,” indicating an automated approach to domain generation. This allows them to quickly create new domains to circumvent detection.
The initial phase of the phishing kit involves a “validation” step. Here, victims are prompted to enter their ticket numbers or booking identifiers. The system is designed to accept any input, creating a false sense of legitimacy by appearing to locate a record. Once this step is completed, the victim is seamlessly transitioned to the fraudulent payment gateway.
In the payment section of the fake portal, victims are asked to provide comprehensive personal details. This includes their full names, residential addresses, email addresses, phone numbers, and dates of birth. Following the collection of this PII, the final stage of the attack requests complete credit card information. This sensitive data encompasses card numbers, expiration dates, and the crucial CVV security codes. Unlike legitimate payment processors that would redirect users to secure banking gateways for payment authorization, these fraudulent websites directly capture all entered information. This allows the attackers immediate access to financial credentials for unauthorized transactions.
The sophisticated nature of this campaign, particularly the use of SEO poisoning and advanced phishing kits, highlights the evolving tactics employed by cybercriminals. Authorities and cybersecurity experts are urging the public to exercise extreme caution when dealing with traffic ticket notifications, especially those received via text message or through unsolicited online advertisements. Verifying the legitimacy of any traffic ticket or fine by directly navigating to official government websites, rather than clicking on links provided in suspicious communications, is paramount. Enabling transaction alerts on credit cards and regularly monitoring financial statements can also provide early warnings of fraudulent activity. For organizations, implementing DNS filtering against known malicious domains is a crucial step in protecting their networks and users from such threats.