On January 16, 2019, Anomali Labs detected two suspicious domains gov-canada-eta[.]com and canada-etavisa[.]info targeting foreign nationals interested in applying for a Canadian electronic travel authorization (eTA). Hosted on this domain is a replica website that spoofs the Government of Canada Electronic Travel Authorization (eTA) application site used by tourists, business travelers, and transients visiting Canada for less than a six month period. Based on our analysis of the suspicious infrastructure, we believe this site is almost certainly part of a wider phishing scam campaign targeting visa applications and travel documents with particular interest in foreign visitors to Canada and the United States.
When navigating to the webpage, the site visitor is presented with a spoofed page of the Government of Canada’s eTA application process:
Figure 1. Initial Landing Page Spoofing the Government of Canada Electronic Travel Authorization (eTA)
The victim is lured into applying for a travel authorization when they click on the "Apply for Canada eTA" button, or menu tab, which redirects the victim’s web browser to a replica page of the Canada eTA Application located at <hxxp://www[.]canada-etavisa[.]info/apply-for-canada-etc/index.html>.
Figure 2. Faux Page Impersonating the Government of Canada eTA Application Site
Once the user fills out the application and discloses their personally identifiable information (PII) data such as full name, place of residence, phone number, date of birth, passport number, amongst others; they are redirected to a third phishing scam page located at <hxxp://www[.]canada-etavisa[.]info/apply-for-canada-eta/action.php>. This spoofed page asks users to provide their payment card information such as card holder name, credit card number, expiry date, three-letter CVV code, and billing address. The alleged cost for applying for the Canadian Visa is $100, presumably in Canadian Dollars (CAD) equivalent to $75.21 United States Dollars (USD). Of note, the official Canada eTA website charges an application fee of $7 CAD or $5.27 USD. Therefore, it is almost certainly the actor’s intended purpose for the spoofing pages is to steal personal information from customers and defraud them out of $100 a time.
Figure 3. Payment Landing Page for Faux Canada eTA Site
According to the page source of the payment landing page, it is most likely using piwikpro "Piwik PRO", which is a popular web analytics suite. The use of a web analytics software can enable the threat actor to monitor and track visitors as well as gather relevant metrics such as numbers of impressions, number of clicks, and click-through rates to better determine the success of their phishing scam campaign. The account for the piwikpro instance on this website appears to be for an unknown entity named "ryanlion":
Figure 4. Page Source for Payment Landing Page of Faux Canada eTA Site
During the course of the investigation, our researchers discovered a total of 20 additional fraudulent domains targeting Canada’s eTA and the United States’s Electronic System for Travel Authorization (ESTA), which were all hosted on the same server IP address 198.252.106[.]148. Of note, the original discovery of gov-canada-eta[.]com and canada-etavisa[.]info also resolved to the same aforementioned IP address. We judge with near certainty that the scammer has used or will likely use these domains to host scam pages mimicking the United States’s Electronic System for Travel Authorization (ESTA) and Canada’s Electronic Travel Authorization (eTA) websites to defraud Visa applicants. For example,
Canada eTA Scam Sites
U.S. ESTA Scam Site
A list of the fraudulent eTA/ESTA-themed domains and subdomains can be found at the end of this blog under the Appendix A - Observables section.
Figure 5. Example of a Spoofed Page Mimicking the United States’s Electronic System for Travel Authorization (ESTA)
The best method for avoiding eTA/ESTA-related scams is to apply only through the official government websites located at:
If you have come across an eTA or ESTA scam sites or in receipt of a eTA or ESTA-themed phishing email, we recommend promptly reporting it to the appropriate authorities:
The following guidance is outlined for everyone in response to the increasing threat posed by phishing and spoofed websites:
This latest phishing scam campaign demonstrates the unspecified threat actor or group’s interest in stealing highly sensitive personal information and defraud victims out of $100 when applying for a travel authorization to enter Canada and the United States. Oftentimes, fraudsters and scammers sell and trade the compromised personal and financial data to other criminal actors in underground forums and marketplaces. The length of time in which these fraudulent domain have been active - close to two years - it is likely that the actor or group have defraud an unknown number of victims applying for Canadian or American travel authorizations. However, at the time of this post, we have not been able to confirm any victims of this latest phishing scam and urge foreign travelers to Canada and the United States only apply at the official travel authorization websites.
All of the phishing scam sites have been reported to Canadian Spam Reporting Centre and US-CERT to prevent the scammer(s) from defrauding eTA and ESTA applicants.
The below table represents the original and additional domains and subdomains resolving to the same IP address used for hosting the latest phishing scam site canada-etavisa[.]info.
Indicator | Description |
---|---|
hxxps://www[.]gov-canada-eta[.]com | Phishing scam site spoofing Canada’s Electronic Travel Authorization (eTA) |
hxxps://www[.]canada-etavisa[.]info/ | Phishing scam site spoofing Canada’s Electronic Travel Authorization (eTA) |
hxxp://www[.]canada-etavisa[.]info/apply-for-canada-etc/index.html | Phishing scam site spoofing Canada’s Electronic Travel Authorization (eTA) |
hxxp://www[.]canada-etavisa[.]info/apply-for-canada-eta/action.php | Phishing scam site spoofing Canada’s Electronic Travel Authorization (eTA) |
tourismgov-aus-eta[.]canada-etavisa[.]info | Fraudulent subdomain spoofing Canada’s Electronic Travel Authorization (eTA) |
canada-etavisa[.]estadhs-gov[.]us | Fraudulent subdomain spoofing Canada’s Electronic Travel Authorization (eTA) |
gov-canada-eta[.]com | Fraudulent domain spoofing Canada’s Electronic Travel Authorization (eTA) |
canada-etavisa[.]info | Fraudulent domain spoofing Canada’s Electronic Travel Authorization (eTA) |
cpanel[.]canada-etavisa[.]info | Linux-based web hosting control panel (cPanel) for fraudulent site spoofing Canada’s Electronic Travel Authorization (eTA) |
mail[.]canada-etavisa[.]info | Mail server for fraudulent site spoofing Canada’s Electronic Travel Authorization (eTA) |
webdisk[.]canada-etavisa[.]info | Web Disk interface of fraudulent site spoofing Canada’s Electronic Travel Authorization (eTA) |
webmail[.]canada-etavisa[.]info | Webmail application of fraudulent site spoofing Canada’s Electronic Travel Authorization (eTA) |
gov-dhs-cbp-esta[.]estadhs-gov[.]us | Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA) |
esta-govffff[.]estadhs-gov[.]us | Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA) |
tourism-esta-gov[.]us | Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA) |
estadhs[.]online | Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA) |
estadhs-gov[.]us | Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA) |
estadhs-cbp[.]online | Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA) |
estacbp[.]online | Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA) |
esta-us[.]online | Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA) |
esta-immi-gov[.]us | Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA) |
esta-gov-dhs[.]us | Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA) |
esta-dhscbp[.]online | Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA) |
esta-cpd[.]online | Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA) |
esta-cbpdhs[.]online | Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA) |
esta-cbp[.]online | Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA) |
esta-cbp-dhs[.]online | Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA) |
us-visaesta[.]online | Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA) |
usa-esta[.]online | Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA) |
visaesta[.]online | Fraudulent domain spoofing the United States Electronic System for Travel Authorization (ESTA) |