PHISHCA
Cybercriminals routinely target Canadians with phishing lures -- often via text messages (also known as "smishing") -- impersonating financial institutions, government entities, telecommunications and other companies. Their goal is to steal banking or credit card data as well as other personal identification information in order to perpetrate fraud or sell this data to other fraudsters.

PHISHCA identifies and analyzes phishing threats targeting Canadians.

BLOG
Parking Ticket Campaign Spoofing The Government of Ontario

Dec 27, 2024

phish sms ontario parking

Phishing campaigns often use a parking ticket lure to trick users into handing over their payment card information to cybercriminals. These lures can be localised to in order to seem relevant and authentic. A recent SMS phishing campaign spoofed the Government of Ontario. The text of the lure was awkwardly phrased and the domain did not specifically spoof the Government of Ontario but generically referred to parking tickets. Please consult the The Government of Ontario resources on how to identify a fraud or scam here.

IOCs

helpticket-park[.]com

154.216.17[.]149

Phishing Campaign Spoofing WealthSimple

Dec 12, 2024

phish sms wealthsimple

There is an ongoing phishing campaign spoofing WealthSimple, a Canadian online investment company. We received a fraudulent SMS message purporting to be from WealthSimple stating that there had been a security incident regarding our account and that we needed to visit a website to secure our account.

The website verifymyweaithsimpie[.]com contains the letter "i" where there should be an "l" which makes it look like the proper spelling of "wealthsimple" but it is in fact a phishing website. Visiting the site displays a fake login page. Any user credentials entered into the fake website will be stolen by the attackers. 

WealthSimple has tips on avoiding these types of scams here.

IOCs

verifymyweaithsimpie[.]com
91.202.233[.]231

Carbon Rebate Lure used in Phishing Campaign

Oct 11, 2024

phish sms interac

Carbon Rebate Lure used in Phishing Campaign

We received a fraudulent SMS message purporting to be an INTERAC transfer related to the Canada Carbon Rebate. The domain contains the term "securedeposit" but ends in the notorious domain suffix ".cdf" which should help users determine that this is a scam. 

CRA has some resources available to help identify these types of messages.

IOCs

securedeposit[.]cfd
45.134.37[.]86

Phish URL Date
http://helpticket-park.com/OJfy5qLu/go/start.php 2024-12-27
https://verifymyweaithsimpie.com/app/index 2024-12-09
https://securedeposit.cfd/ 2024-10-11