chat
expand_more

New Travel Scam Variant Targets Tourists Traveling to Canada

Abnormal Security recently identified a scam aimed at the Canadian electronic travel authorization (eTA) program, which bears a striking resemblance to a long-standing fraud scheme described in our post from several weeks ago targeting TSA travel program applicants.
December 14, 2021

Abnormal Security recently identified a scam aimed at the Canadian electronic travel authorization (eTA) program, which bears a striking resemblance to a long-standing fraud scheme described in our post from several weeks ago targeting TSA travel program applicants.

Canadian visa application phishing attempt email

Canadian Visa program-themed phishing email.

Discovering the Canadian Visa Phishing Attempt

On December 1, 2021, Abnormal intercepted the above email sent to a VIP recipient, reminding them that their Canada visa application had not been submitted and remained incomplete. Although both the sending domain and the one listed in the signature block have the appearance of quasi-legitimacy, the website canada-visa-online[.]org uses the theme "eTA Canada Electronic Travel Authorization" while the real version of the page says "Government of Canada." The sending email address info[@]official-canada-visa.org is the same as the contact email listed on the bottom of the imitation website at canada-visa-online[.]org.

Fake Canadian visa phishing site

Landing page for canada-visa-online.org.

The Canadian eTA approval system is an entry requirement for visa-exempt United States citizens and other foreign travelers entering by air, although various exemptions exist for mode of entry and country of origin. The application process can be completed online and electronically links the record to the traveler's passport. Applying costs $7 CAD (about $5.50 USD) to file and typically takes several days to be approved, although Immigration, Refugees, and Citizenship (IRCC) Canada advises travelers to apply before purchasing a plane ticket. All of this can be done at official Canadian government websites using a ".ca" top-level domain, similar to ".gov" in the United States.

Although the scam website appears to offer sufficiently detailed information about the travel requirement program, some of the instructions stick out as odd, like the references to paying the filing fee via PayPal. If you remember, this was the preferred payment method for the other travel fraudsters we covered.

Canadian visa payment method

Payment methods listed on canada-visa-online.org.

Additionally, the fraudulent website is harder to read and understand than Canada's legitimate site, undoubtedly by design. Another identical version of this scam page exists at canada-visa-gov.org, although nothing appears to be hosted at the official-canada-visa.org domain used to send the email.

Canadian visa phishing paypal order summary

Order summary page with PayPal payment.

This fraudulent website makes no distinction between itself and the legitimate Canadian authorities and offers its service for a whopping $99 application fee. After the travel applicant completes the detailed application specifying their place of birth, passport number, date of birth, and address, the scam service displays an order summary of the information entered with payment available via PayPal or credit card, which is processed by PayPal. This time, the merchant name is not displayed in the payment box, and the hopeful travel applicant has no insight into where their money has been sent.

Block Credential Phishing Emails

The Fraudsters Behind the Canadian Visa Scam

The domains used for this scam are hosted at the IP address 67[.]227[.]191[.]40, which also hosts an interesting mix of websites using similar international travel themes. Some appear to have been active since 2019.

Domains we’ve linked to this group include the following:

  • canada-visa-gov[.]org
  • canada-visa-online[.]org
  • elevendimension-funds[.]com
  • host.indiaonlinevisa[.]in
  • i-visa[.]org
  • india-e-visa[.]in
  • india-knowlege[.]in
  • india-visa-online[.]com
  • india-visa-online[.]org
  • indiaonlinevisa[.]in
  • ivisango[.]com
  • new-zealand-visa.co[.]nz
  • new-zealand-visa[.]org
  • official-india-visa[.]com
  • official-turkey-visa[.]org
  • us-visa-esta[.]org
  • www.canada-visa-online[.]org
  • www.india-e-visa[.]in
  • www.india-knowlege[.]in
  • www.india-visa-online[.]com
  • www.us-visa-esta[.]org

No additional information is available on what the actors actually do with the sensitive personally identifiable information (PII) they collect. Still, we can hypothesize that it is likely not being used to apply for Canadian travel authorization.

Unfortunately, those that use this website to apply will likely never know that their money and information have been stolen—at least until they realize they never received their visa or worse, are denied entry into Canada upon arrival.

New Travel Scam Variant Targets Tourists Traveling to Canada

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Discover How It All Works

See How Abnormal AI Protects Humans

Related Posts

B Retail Industry Attack Trends Blog
New research reveals predictable seasonal cybersecurity patterns in retail. Discover when attacks are most prevalent and how to synchronize defenses with threat cycles.
Read More
Engineering Hyper Personalized Security Training pptx 1
Explore how Abnormal AI rapidly engineered AI Phishing Coach, a hyper-personalized training platform, by leveraging GenAI, internal developer tools, and an AI-first build process designed for speed and scale.
Read More
Innovate Summer Update Announcement Blog Cover
Join Abnormal Innovate: Summer Update on July 17 to explore the future of AI-powered email security with bite-sized sessions, expert insights, and exclusive product reveals.
Read More
High Scale Aggregation Cover
At Abnormal AI, detecting malicious behavior at scale means aggregating vast volumes of signals in realtime and batch. This post breaks down how we implemented the Signals DAG across both systems to achieve consistency, speed, and detection accuracy at scale.
Read More
B CISO SAT
Discover how modern CISOs are evolving security awareness training from a compliance checkbox into a strategic, AI-powered program that drives behavior change and builds a security-first culture.
Read More
B Regional VEC BEC Trends Blog
Regional analysis of 1,400+ organizations reveals how geography shapes email security risks. See which regions are most vulnerable to VEC vs BEC.
Read More