Phishing Scam Spoofs Canadian eTA and U.S. ESTA Websites To Target Visa-Exempt Foreign Travelers

<p>On January 16, 2019, Anomali Labs detected two suspicious domains gov-canada-eta[.]com and canada-etavisa[.]info targeting foreign nationals interested in applying for a Canadian electronic travel authorization (eTA). Hosted on this domain is a replica website that spoofs the Government of Canada Electronic Travel Authorization (eTA) application site used by tourists, business travelers, and transients visiting Canada for less than a six month period. Based on our analysis of the suspicious infrastructure, we believe this site is almost certainly part of a wider phishing scam campaign targeting visa applications and travel documents with particular interest in foreign visitors to Canada and the United States.</p><h2>Government of Canada Electronic Travel Authorization (eTA) Scam Page Details</h2><p>When navigating to the webpage, the site visitor is presented with a spoofed page of the Government of Canada’s eTA application process:</p><p style="text-align: center;"><img alt="" src="https://wwwlegacy.anomali.com/images/uploads/blog/image4.jpg" /><br /> <strong>Figure 1. Initial Landing Page Spoofing the Government of Canada Electronic Travel Authorization (eTA)</strong></p><p>The victim is lured into applying for a travel authorization when they click on the "Apply for Canada eTA" button, or menu tab, which redirects the victim’s web browser to a replica page of the Canada eTA Application located at <hxxp://www[.]canada-etavisa[.]info/apply-for-canada-etc/index.html>.</p><p style="text-align: center;"><img alt="" src="https://wwwlegacy.anomali.com/images/uploads/blog/image5.jpg" /><br /> <strong>Figure 2. Faux Page Impersonating the Government of Canada eTA Application Site</strong></p><p>Once the user fills out the application and discloses their personally identifiable information (PII) data such as full name, place of residence, phone number, date of birth, passport number, amongst others; they are redirected to a third phishing scam page located at <hxxp://www[.]canada-etavisa[.]info/apply-for-canada-eta/action.php>. This spoofed page asks users to provide their payment card information such as card holder name, credit card number, expiry date, three-letter CVV code, and billing address. The alleged cost for applying for the Canadian Visa is $100, presumably in Canadian Dollars (CAD) equivalent to $75.21 United States Dollars (USD). Of note, the official <a href="https://www.canada.ca/en/immigration-refugees-citizenship/services/visit-canada/eta/apply.html" target="_blank">Canada eTA</a> website charges an application fee of $7 CAD or $5.27 USD. Therefore, it is almost certainly the actor’s intended purpose for the spoofing pages is to steal personal information from customers and defraud them out of $100 a time.</p><p style="text-align: center;"><img alt="" src="https://wwwlegacy.anomali.com/images/uploads/blog/image1.png" /><br /> <strong>Figure 3. Payment Landing Page for Faux Canada eTA Site</strong></p><p>According to the page source of the payment landing page, it is most likely using piwikpro "Piwik PRO", which is a popular web analytics suite. The use of a web analytics software can enable the threat actor to monitor and track visitors as well as gather relevant metrics such as numbers of impressions, number of clicks, and click-through rates to better determine the success of their phishing scam campaign. The account for the piwikpro instance on this website appears to be for an unknown entity named "ryanlion":</p><p style="text-align: center;"><img alt="" src="https://wwwlegacy.anomali.com/images/uploads/blog/image2.png" /><br /> <strong>Figure 4. Page Source for Payment Landing Page of Faux Canada eTA Site</strong></p><h2>Additional Travel Authorization-Related Scam Pages</h2><p>During the course of the investigation, our researchers discovered a total of 20 additional fraudulent domains targeting Canada’s eTA and the United States’s Electronic System for Travel Authorization (ESTA), which were all hosted on the same server IP address 198.252.106[.]148. Of note, the original discovery of gov-canada-eta[.]com and canada-etavisa[.]info also resolved to the same aforementioned IP address. We judge with near certainty that the scammer has used or will likely use these domains to host scam pages mimicking the United States’s Electronic System for Travel Authorization (ESTA) and Canada’s Electronic Travel Authorization (eTA) websites to defraud Visa applicants. For example,</p><p><em>Canada eTA Scam Sites</em></p><ul><li>On March 29, 2017, a scammer used a domain privacy protection service to create the domain canada-etavisa[.]info and subsequently created a subdomain tourismgov-aus-eta[.]canada-etavisa[.]info, which as of January 18th, 2019 was still actively hosting a Canada eTA scam page.</li><li>On November 28, 2016, a malicious registrant named James Kingston used the email address nietzschestorm{at}gmail[.]com when registering fraudulent domain estadhs-gov[.]us with Registrar Namecheap. On an unspecified date, the threat actor created the subdomain canada-etavisa[.]estadhs-gov[.]us, which was subsequently used to host a Canada eTA phishing scam site.</li></ul><p><em>U.S. ESTA Scam Site</em></p><ul><li>As of January 18, 2019, there were 18 total fraudulent domains that resolved to IP address 198.252.106[.]148, which most likely were created with the intention to defraud U.S. ESTA applicants via scam pages. Figure 5 represents one of the 18 fraudulent domains (dhsgov-esta[.]us) that at the time of our analysis was actively hosting an ESTA-themed scam page.</li></ul><p>A list of the fraudulent eTA/ESTA-themed domains and subdomains can be found at the end of this blog under the Appendix A - Observables section.</p><p style="text-align: center;"><img alt="" src="https://wwwlegacy.anomali.com/images/uploads/blog/image3.png" /><br /> <strong>Figure 5. Example of a Spoofed Page Mimicking the United States’s Electronic System for Travel Authorization (ESTA)</strong></p><h2>How to Avoid eTA/ESTA Scams?</h2><p>The best method for avoiding eTA/ESTA-related scams is to apply only through the official government websites located at:</p><ul><li><strong>Canada Electronic Travel Authorization (eTA)</strong> - <a href="https://www.canada.ca/en/immigration-refugees-citizenship/services/visit-canada/eta/apply.html" target="_blank">https://www.canada.ca/en/immigration-refugees-citizenship/services/visit-canada/eta/apply.html</a></li><li><strong>United States Electronic System for Travel Authorization (ESTA)</strong> - <a href="https://esta.cbp.dhs.gov" target="_blank">https://esta.cbp.dhs.gov</a></li></ul><p>If you have come across an eTA or ESTA scam sites or in receipt of a eTA or ESTA-themed phishing email, we recommend promptly reporting it to the appropriate authorities:</p><ul><li>Canadian eTA scam pages should consider reporting it to the Spam Reporting Centre by filling out an online form located <a href="http://fightspam.gc.ca/eic/site/030.nsf/frm-eng/MMCN-9EZV6S" target="_blank">here</a> or via email to <a href="mailto:spam@fightspam.gc.ca">spam@fightspam.gc.ca</a>.</li><li>U.S. ESTA scam pages should consider reporting it to US-CERT and their partner the Anti-Phishing Working Group (APWG) by sending an email to <a href="mailto:phishing-report@us-cert.gov">phishing-report@us-cert.gov</a>.</li></ul><p>The following guidance is outlined for everyone in response to the increasing threat posed by phishing and spoofed websites:</p><ul><li>Always be cautious regarding unsolicited emails that contain links and attachments. If in doubt, look to validate the legitimacy of the message by contacting the sender organisation using an alternate method of contact e.g. using a verified phone number.</li><li>Check for telltale signs of phishing: Does the message have poor spelling, grammar and punctuation? Is it addressed to you by name, or does it have a generic reference e.g. “valued customer”, or “trusted contact”? This can be a sign that the sender does not actually know you, and that it is part of a phishing scam. Does the email contain a veiled threat that asks you to act urgently? If it sounds too good to be true, it probably is.</li><li>Also for consideration, some spam and phishing messages may include attempts to infect your computer or device with malware. Therefore, it is advisable to install anti-virus/endpoint protection, select an ad-blocker tool for your browser, and keep your operating system up-to-date with the latest patches.</li><li>Be conscious of your digital footprint. Cyber threat actors use publicly available information about you and your organisation to make their phishing messages more convincing and realistic. This is often gleaned from social media accounts, company websites, and media releases.</li></ul><h2>Conclusion</h2><p>This latest phishing scam campaign demonstrates the unspecified threat actor or group’s interest in stealing highly sensitive personal information and defraud victims out of $100 when applying for a travel authorization to enter Canada and the United States. Oftentimes, fraudsters and scammers sell and trade the compromised personal and financial data to other criminal actors in underground forums and marketplaces. The length of time in which these fraudulent domain have been active - close to two years - it is likely that the actor or group have defraud an unknown number of victims applying for Canadian or American travel authorizations. However, at the time of this post, we have not been able to confirm any victims of this latest phishing scam and urge foreign travelers to Canada and the United States only apply at the official travel authorization websites.</p><p>All of the phishing scam sites have been reported to Canadian Spam Reporting Centre and US-CERT to prevent the scammer(s) from defrauding eTA and ESTA applicants.</p><h3>Appendix A - Observables</h3><p>The below table represents the original and additional domains and subdomains resolving to the same IP address used for hosting the latest phishing scam site canada-etavisa[.]info.</p><table class="table table-bordered table-striped"><tbody><tr><th>Indicator</th><th>Description</th></tr><tr><td>hxxps://www[.]gov-canada-eta[.]com</td><td>Phishing scam site spoofing Canada’s Electronic Travel Authorization (eTA)</td></tr><tr><td>hxxps://www[.]canada-etavisa[.]info/</td><td>Phishing scam site spoofing Canada’s Electronic Travel Authorization (eTA)</td></tr><tr><td>hxxp://www[.]canada-etavisa[.]info/apply-for-canada-etc/index.html</td><td>Phishing scam site spoofing Canada’s Electronic Travel Authorization (eTA)</td></tr><tr><td>hxxp://www[.]canada-etavisa[.]info/apply-for-canada-eta/action.php</td><td>Phishing scam site spoofing Canada’s Electronic Travel Authorization (eTA)</td></tr><tr><td>tourismgov-aus-eta[.]canada-etavisa[.]info</td><td>Fraudulent subdomain spoofing Canada’s Electronic Travel Authorization (eTA)</td></tr><tr><td>canada-etavisa[.]estadhs-gov[.]us</td><td>Fraudulent subdomain spoofing Canada’s Electronic Travel Authorization (eTA)</td></tr><tr><td>gov-canada-eta[.]com</td><td>Fraudulent domain spoofing Canada’s Electronic Travel Authorization (eTA)</td></tr><tr><td>canada-etavisa[.]info</td><td>Fraudulent domain spoofing Canada’s Electronic Travel Authorization (eTA)</td></tr><tr><td>cpanel[.]canada-etavisa[.]info</td><td>Linux-based web hosting control panel (cPanel) for fraudulent site spoofing Canada’s Electronic Travel Authorization (eTA)</td></tr><tr><td>mail[.]canada-etavisa[.]info</td><td>Mail server for fraudulent site spoofing Canada’s Electronic Travel Authorization (eTA)</td></tr><tr><td>webdisk[.]canada-etavisa[.]info</td><td>Web Disk interface of fraudulent site spoofing Canada’s Electronic Travel Authorization (eTA)</td></tr><tr><td>webmail[.]canada-etavisa[.]info</td><td>Webmail application of fraudulent site spoofing Canada’s Electronic Travel Authorization (eTA)</td></tr><tr><td>gov-dhs-cbp-esta[.]estadhs-gov[.]us</td><td>Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA)</td></tr><tr><td>esta-govffff[.]estadhs-gov[.]us</td><td>Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA)</td></tr><tr><td>tourism-esta-gov[.]us</td><td>Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA)</td></tr><tr><td>estadhs[.]online</td><td>Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA)</td></tr><tr><td>estadhs-gov[.]us</td><td>Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA)</td></tr><tr><td>estadhs-cbp[.]online</td><td>Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA)</td></tr><tr><td>estacbp[.]online</td><td>Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA)</td></tr><tr><td>esta-us[.]online</td><td>Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA)</td></tr><tr><td>esta-immi-gov[.]us</td><td>Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA)</td></tr><tr><td>esta-gov-dhs[.]us</td><td>Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA)</td></tr><tr><td>esta-dhscbp[.]online</td><td>Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA)</td></tr><tr><td>esta-cpd[.]online</td><td>Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA)</td></tr><tr><td>esta-cbpdhs[.]online</td><td>Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA)</td></tr><tr><td>esta-cbp[.]online</td><td>Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA)</td></tr><tr><td>esta-cbp-dhs[.]online</td><td>Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA)</td></tr><tr><td>us-visaesta[.]online</td><td>Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA)</td></tr><tr><td>usa-esta[.]online</td><td>Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA)</td></tr><tr><td>visaesta[.]online</td><td>Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA)</td></tr></tbody></table><h3>External References</h3><ul><li>URLScan</li><li>VirusTotal</li></ul>