Because of their heavy reliance on digital services for travel, taxes, packages, and traffic fines, Canadian citizens are increasingly at risk from phishing attacks. Researchers discovered linked fraud networks that imitated government websites such as PayBC, Canada Post, Air Canada, and the Canada Revenue Agency (CRA). These campaigns connect to the infamous PayTool phishing ecosystem by collecting credentials and personal information on a large scale.

SMS lures and malicious advertisements claiming unpaid fines, unsuccessful deliveries, or booking errors are used in the scams. Victims click on typosquatted domains or shortened URLs that lead to phony portals. Initially, websites go through a "validation" phase where they ask for booking IDs or ticket numbers that take any input. Before switching to fraudulent payment gateways that steal credit card numbers, PII, and Interac e-Transfer login credentials, this fosters trust.

The Provincial Expansion of PayTool CloudSEK claims that traffic ticket scams are the main activity, expanding PayTool's strategy. By simulating a "Traffic Ticket Search Portal – Government of Canada," attackers allow users to select provinces such as British Columbia, Ontario, or Quebec. Findings reveal several Canada.ca domains hosted on shared infrastructure that are impersonating "Traffic Ticket Search Portal" (Source: CloudSEK).

Cloning Canada.ca with provincial logos for credibility, more than 70 domains were resolved to IP 198.23.156.130. This federal façade mimics actual portals like PayBC and ServiceOntario, centralizes trust, and scales across regions. Patterns like "ticket," "traffic," "portal," and "violation" are followed by domains, indicating automated generation. Payment kits are clustered on the 45.156.87.0/24 subnet, which includes IPs like 45.156.87.145 that host Ontario's ontarioticketpay and BC's paytool-bc-2025.com.live.

general fallbacks, such as parking portals.live to guarantee continuity after being blacklisted.

Travel and postal fraud are branches of diversified brand impersonation campaigns. "Redelivery" alerts are sent by Canada Post clones through domains such as handlingpostecan1.com and postcan-track-elment.live. Screenshot of the fake Air Canada landing page (Source: CloudSEK) Air Canada typosquats, such as aircanda-booking.com, target mistyped searches or poisoned ads by replicating favicons and titles.

Urgent payments are motivated by pretexts such as baggage fees. A dark web actor known as "theghostorder01" offers 14-page kits that mimic Ontario driver's license renewals in order to obtain bank information. They have been using Telegram to hawk codes since 2024. They accept BTC (bc1qvhxkqujf347apsgy65ffykste0jy6txhgejhm048ukrys7cm6d3q2v4ze7) and USDT (TWNCawkk3NbPZsY6mdnog8Sn7rS2vue95d).

Bypassing complicated servers, buyers manage data through straightforward APIs. Important Signs of a Compromised Domain Registrar Creation Date IP/Subnets paybc-portal.live PDR Ltd. 45.156.87.x ontarioticketpay 2025-07-19.2025-07-09 45.156.87.x justice-ticket-portal.com live PDR Ltd. MAT BAO 198.23.156.130 2025-12-14 Booking.aircanda.com Namecheap August 6, 2025 Handling Postecan1.com PDR Ltd. varies.

July 24, 2025 With a focus on high-urgency themes, the Varies Full IOC list comprises more than fifty domains with.live/.com TLDs. These operations run the risk of account takeovers, widespread PII leaks, and a decline in public confidence in government services. Exposure is increased by diversification in the government, postal, and aviation sectors.

Protect your domain by keeping an eye out for terms like "ticket" and "infraction." Use DNS firewalls to block PayTool IPs (45.156.87.0/24, 198.23.156.130). Conduct awareness campaigns: SMS payment links are ignored by official agencies. Save Canada.ca to your bookmarks.

PayBC and aircanada.com; use direct access to confirm. Threat intelligence highlights title reuse, favicon matches, and shared hosting. Quick takedowns rotate the curb. Canadians need to pay close attention to odd TLDs and SMS urgency as phishing kits become more widely available.

Millions are shielded from these compromised digital gateways by vigilance.