Cybercriminals are targeting Canadian citizens through a PayTool fraud ecosystem. They impersonate trusted government services, including traffic fines, tax refunds, and parcel delivery notifications. These attackers use highly convincing fake websites to steal personal and financial information.
How the Attack Works
The attackers use SMS-based phishing (smishing) campaigns. Victims receive urgent messages, claiming they have unpaid fines, unclaimed tax refunds, or parcel delivery issues. The messages link to fraudulent websites, which resemble official Canadian government portals like PayBC, ServiceOntario, and Canada Post.
Source: cloudsek – Key domain Relations
Once on the fake website, victims are tricked into entering ticket numbers, account identifiers, or reference codes. These inputs are then used to create a false sense of legitimacy. After that, the page switches to a fraudulent payment gateway. This is where attackers steal credit card information, banking details, and personal data.
Fraud Infrastructure and Its Scale
The fraudulent websites are hosted on shared infrastructure, making it easy for attackers to scale the attack across multiple regions. They create websites with names that mimic official domains by using typosquatted URLs or URL shorteners. The fake sites even use provincial logos and official-looking banners to reinforce the illusion of authenticity.
Source: CloudSEK Blog – fraudulent traffic ticket portal
The fraud infrastructure is systematic and designed for scalability. The attackers have created a centralized platform that appears to be a legitimate “Government of Canada” portal. This makes it easy for them to deploy localized scams in various provinces. They use the same infrastructure to target multiple provinces, reducing the need to rebuild for each region.
The Role of the PayTool Ecosystem
The PayTool ecosystem has been linked to the fraud operation. This system has been used in past attacks targeting Canadian traffic fines and parking violations. The fraud operation has expanded by adding a federal-level entry point to impersonate the Canada.ca website. This tactic strengthens the attackers’ credibility, making it harder for victims to distinguish the scam from legitimate services.
Through passive DNS analysis, security teams identified that these attacks were being hosted on IPs like 45.156.87.145, 45.156.87.131, and 45.156.87.143, among others. These IP addresses are tied to multiple fraudulent provincial domains, indicating that the fraud ring is using shared infrastructure to carry out scalable attacks.
Why This Matters: Threat Actor Profiling
The actors behind the PayTool fraud ecosystem are well-organized and operate as cybercrime services. They specialize in phishing-as-a-service (PhaaS), selling custom phishing kits on underground forums. These kits are designed to mimic government portals and banking websites, making it easier for fraudsters to launch campaigns targeting high-value victims.
Source: CloudSEK Blog – Air Canada Booking Page Clone
The main actor, known as theghostorder01, has been active since 2024. They offer their phishing kits and custom support for deployment. The kits target government services, banking platforms, and e-commerce sites, primarily in Canada, Australia, the UK, and the US.
Impact Assessment and Recommendations
This fraud ecosystem represents a significant security risk to Canadian citizens and government agencies. The scams steal large amounts of personally identifiable information (PII) and financial data. These compromises can lead to identity theft, account takeovers, and direct financial fraud.
Organizations can take the following actions to mitigate the risk:
- Monitor domains that use typosquatting and keyword-based URLs for suspicious activity.
- Educate users to access official services only through bookmarked portals and to avoid clicking on links in unsolicited messages.
- Enforce strict controls to detect phishing infrastructure and implement rapid takedown procedures for fraudulent domains.
Conclusion
This evolving fraud ecosystem targeting Canadians through PayTool phishing is a reminder of how cybercriminals are taking advantage of trusted government services. By impersonating official platforms, they effectively manipulate victims into disclosing sensitive information. As these attacks scale and evolve, both individuals and organizations must remain vigilant and adopt proactive security measures to defend against such fraud schemes.
Source: E-Crime Targeting Canada
.jpg "Labyrinth Chollima")
No Comment! Be the first one.