{
	"id": "fb7cb68e-f72a-43cc-bb93-a9e85cfae30a",
	"created_at": "2026-04-06T00:10:32.809726Z",
	"updated_at": "2026-04-10T13:12:41.783677Z",
	"deleted_at": null,
	"sha1_hash": "de20240a54e4a4d8dcc1a3d4c7e5102726269ada",
	"title": "Pivoting From PayTool: Tracking Various Frauds and E-Crime Targeting Canada",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2674139,
	"plain_text": "Pivoting From PayTool: Tracking Various Frauds and E-Crime\r\nTargeting Canada\r\nBy Jainam Shah\r\nPublished: 2026-01-28 · Archived: 2026-04-02 12:25:31 UTC\r\nWe value your privacy\r\nWe use cookies to enhance your browsing experience, serve personalised ads or content, and analyse our traffic.\r\nBy clicking \"Accept All\", you consent to our use of cookies.\r\nBack\r\nCloudSEK’s latest investigation exposes a rapidly evolving fraud ecosystem targeting Canadians through highly\r\nconvincing impersonation of government services and trusted national brands. From fake traffic fines and tax\r\nrefunds to airline bookings and parcel delivery alerts, attackers are scaling operations using shared infrastructure\r\nand phishing-as-a-service models. The report reveals how urgency and institutional trust are weaponized—and\r\nwhat organizations must do to stay ahead.\r\nJanuary 27, 2026\r\nhttps://www.cloudsek.com/blog/pivoting-from-paytool-tracking-various-frauds-and-e-crime-targeting-canada\r\nPage 1 of 16\n\nSubscribe to CloudSEK Resources\r\nGet the latest industry news, threats and resources.\r\nExecutive Summary\r\nAs Canadian citizens increasingly rely on digital services for transportation, taxation, parcel delivery, and travel,\r\nthreat actors continue to exploit this dependency by deploying highly convincing impersonation campaigns that\r\nmimic trusted government bodies and national brands. CloudSEK discovered multiple interconnected fraud\r\nclusters that abuse traffic ticket enforcement themes, tax refund narratives, airline booking portals, and postal\r\ndelivery alerts to harvest personal and financial information at scale.\r\nA significant portion of the activity is aligned with the “PayTool” phishing ecosystem, a known fraud framework\r\nthat specializes in traffic violation and fine payment scams targeting Canadians through SMS-based social\r\nengineering. \r\nIn parallel, additional infrastructure was observed impersonating Canada Revenue Agency (CRA), Air Canada,\r\nand Canada Post, indicating a broader fraud operation that reuses common design patterns. Furthermore, the\r\ninvestigation uncovered threat actors actively commercializing these campaigns on underground forums by selling\r\nspecialized phishing kits designed to mimic official government services and banking portals.\r\nModus Operandi\r\nVictims are primarily seen lured using sms messages and malicious advertisements. Messages utilize high\r\npressure tactics alleging unpaid fines, delivery failures, or booking errors to impersonate authoritative bodies like\r\nhttps://www.cloudsek.com/blog/pivoting-from-paytool-tracking-various-frauds-and-e-crime-targeting-canada\r\nPage 2 of 16\n\nPayBC, CRA, Canada Post, and Air Canada. The use of URL shorteners or typosquatted domains adds a layer of\r\nperceived legitimacy.\r\nUpon clicking, victims are not immediately asked for data. Instead, they are taken through a “fake validation”\r\nphase. This stage typically requests inputs such as ticket numbers, booking references, or account identifiers.\r\nHowever, these fields accept virtually any value and perform no real verification. Their sole purpose is to create an\r\nillusion of authenticity and to psychologically prime the victim by making the interaction appear official and\r\nprocedural.\r\nAfter this trust-building step, the site transitions to a fraudulent payment gateway. These pages closely mimic\r\nlegitimate payment processors but in reality, they are engineered to harvest personally identifiable information\r\n(PII) and financial data.\r\nFake webpage impersonating Traffic Ticket Search Portal\r\nAnalysis of Observed Infrastructure and Campaigns\r\nThe core theme observed across multiple clusters in this campaign is the impersonation of Canadian government\r\ntraffic enforcement and fine payment services. This activity strongly aligns with the previously documented\r\n“PayTool” ecosystem, which focuses on provincial traffic fines and parking violations, while also expanding into a\r\nbroader federal-style “Traffic Ticket Search Portal” model that aggregates multiple provinces under a single\r\ninterface.\r\nhttps://www.cloudsek.com/blog/pivoting-from-paytool-tracking-various-frauds-and-e-crime-targeting-canada\r\nPage 3 of 16\n\nUnlike simple single-page phishing sites, this infrastructure is designed to simulate a centralized government\r\nservice. Victims are presented with what appears to be an official “Government of Canada” portal where they can\r\nselect their province (Alberta, British Columbia, Ontario, Quebec, Manitoba, Saskatchewan, etc.) to search for\r\noutstanding traffic violations. This mirrors how legitimate Canadian federal services provide entry points to\r\nprovincial systems, significantly strengthening the illusion of authenticity.\r\nOn analysis we found over 70 websites which were resolving to ip address 198[.]23[.]156[.]130 impersonating the\r\nlegitimate canada.ca The inclusion of provincial logos and a “Traffic Ticket Search Portal – Government of\r\nCanada” banner establishes institutional trust before any data is requested.\r\nResults showing multiple Canada.ca impersonating “Traffic Ticket Search Portal” domains hosted\r\non shared infrastructure\r\nFrom an operational perspective, this structure serves three major purposes:\r\nTrust Centralization: By positioning the page as a federal-level service, attackers reduce suspicion.\r\nVictims are conditioned to believe they are interacting with a legitimate nationwide government platform\r\nrather than a standalone site.\r\nScalability Across Provinces: A single template can be reused for multiple provinces, allowing threat\r\nactors to rapidly deploy localized scams without rebuilding infrastructure for each region.\r\nThis workflow mirrors legitimate provincial traffic enforcement portals such as PayBC and ServiceOntario,\r\nmaking it consistent with known PayTool attack patterns.\r\nDomain Pattern Observations\r\nThe domains associated with this cluster exhibit highly systematic naming conventions centered around:\r\nhttps://www.cloudsek.com/blog/pivoting-from-paytool-tracking-various-frauds-and-e-crime-targeting-canada\r\nPage 4 of 16\n\n“ticket”\r\n“traffic”\r\n“portal”\r\n“search”\r\n“violation”\r\n“infraction”\r\n“offence”\r\n“citation”\r\nThese naming patterns indicate automation and bulk generation rather than organic domain creation. The\r\nrepetition of terms reinforces the legitimacy narrative by matching keywords users expect when dealing with\r\nofficial traffic violation services.\r\nKey IP Relations:\r\n45[.]156[.]87[.]145\r\n45[.]156[.]87[.]131\r\n45[.]156[.]87[.]143\r\n45[.]156[.]87[.]213\r\nThe central node 45.156.87.145 exhibit a high-density relationship with multiple provincial\r\nphishing domains\r\nhttps://www.cloudsek.com/blog/pivoting-from-paytool-tracking-various-frauds-and-e-crime-targeting-canada\r\nPage 5 of 16\n\nThe infrastructure allows for simultaneous targeting across different jurisdictions using the same hosting provider.\r\nBased on domain relation data, we discovered multiple phishing domains of different provinces: \r\nBritish Columbia (PayBC): paytool-bc-2025[.]com, bc-infraction[.]com, paybc-portal[.]live\r\nOntario (ServiceOntario): ontarioticketpay[.]live, ontario-paytool-2025[.]com, serviceon-ticket[.]live\r\nQuebec/Montreal: ville-montreal-pay[.]com, amende-enligne-qc[.]com, a25pont-laval[.]com (Toll bridge\r\nimpersonation)\r\nBeyond the direct government impersonations, the relation data for 162[.]243[.]100[.]252 and the 45.156.87.x\r\nsubnet exposes a \"long tail\" of generic infraction domains, such as parking-portal[.]live and\r\noverdueticketinfraction[.]info.\r\nThis indicates that the PayTool threat actor maintains a pool of generic, fallback domains. When specific\r\nprovincial domains (like paybc-portal) are inevitably flagged or blacklisted by browser vendors, the actor can\r\nimmediately rotate traffic to these generic \"infraction\" sites to maintain campaign continuity.\r\nCanada Post Parcel \u0026 Redelivery Phishing \r\nFurther analysis of the infrastructure revealed a subset of domains mimicking Canada Post. While these specific\r\ndomains were inactive during the investigation, passive DNS data and reputation signals strongly suggest a\r\ncampaign focused on parcel delivery scams.\r\nThe naming conventions heavily utilize keywords associated with \"failed delivery\" narratives:\r\nredeliver\r\nhandling\r\nparcel\r\ncanpost / capost\r\nAlthough the domains were offline, their clustering around the same hosting provider aligns with the broader\r\n\"PayTool\" and ticket-fraud infrastructure. This indicates a consistent pattern of brand trust exploitation using\r\ndisposable domains to cast a wide net for victims.\r\nAir Canada Impersonation \u0026 Typosquatting\r\nA distinct branch of this campaign targets the travel sector through Air Canada impersonation. Unlike the ticket\r\nand postal scams, which rely heavily on SMS (Smishing), this cluster appears driven by SEO poisoning and\r\ntyposquatting.\r\nObserved domain patterns include:\r\naircanda-booking[.]com (Character Omission)\r\nair-canaada-booking[.]com (Character Duplication)\r\nairscanada-booking[.]com (Character Substitution)\r\nhttps://www.cloudsek.com/blog/pivoting-from-paytool-tracking-various-frauds-and-e-crime-targeting-canada\r\nPage 6 of 16\n\nScreenshot of the impersonated Air Canada landing page\r\nThe objective is to intercept users who mistype the legitimate domain or click malicious search engine ads.\r\nFurthermore, FOFA queries identified multiple servers hosting these domains using:\r\nIdentical Favicon Hashes matching the official Air Canada website.\r\nReplicated Page Titles.\r\nhttps://www.cloudsek.com/blog/pivoting-from-paytool-tracking-various-frauds-and-e-crime-targeting-canada\r\nPage 7 of 16\n\nFOFA search results showing the cluster of Air Canada clones\r\nThis confirms the deliberate cloning of legitimate branding assets rather than superficial imitation. The attackers\r\nlikely leverage airline fraud because:\r\nUsers expect to enter payment details for bookings.\r\nModification and baggage fees provide a natural pretext for charges.\r\nTravel deadlines lower victim skepticism.\r\nThis expansion demonstrates that the threat actors are not limited to government service impersonation; they are\r\neffectively diversifying their targets to exploit commercial sectors where financial urgency is common.\r\nRelationship With Underground  Forums Activity\r\nIntelligence gathered from various dark web cybercrime forums confirms that the  proliferation of these localized\r\ncampaigns is being driven by a \"Phishing-as-a-Service\" (PhaaS) model. Our analysis identified a threat actor\r\noperating under the alias 'theghostorder01', actively selling a specialized phishing kit designed to mimic the\r\nOntario Driver's License Renewal process on multiple dark web forums.\r\nThreat actor  listing the Ontario scam page on DarkForums, source: GTI CloudSEK \r\nThe advertisement highlights the kit's capability to harvest high-value data points, including:\r\nPersonal Information (PII): Full name, address, and license details.\r\nBanking Credentials: Specifically targeting Interac e-Transfer logins to facilitate immediate account\r\ntakeovers.\r\nhttps://www.cloudsek.com/blog/pivoting-from-paytool-tracking-various-frauds-and-e-crime-targeting-canada\r\nPage 8 of 16\n\nPayment Data: Credit card numbers and CVV codes.\r\nScreenshot shared by threat actor impersonating the ontario driver license page, claiming it has 14\r\nbank pages involved.\r\nThe actor facilitates sales and support via different telegram channels. To validate these claims, one of our sources\r\nengaged with the threat actor. During the interaction, the seller was unable to demonstrate any server-side data\r\nhandling or hosted infrastructure. Also when questioned about how victim data would be captured and delivered,\r\nthe actor provided vague responses, stating that results would be sent via email or messaging platforms. \r\nWhile the handling of the exfiltrated data is the responsibility of the buyer in most cases, the barrier of setting up\r\nthe backend infrastructure has lowered significantly. Threat actors can now use Gen AI tools to rapidly script\r\nbackend logic to process victim data. Additionally instead of a complex server-side database the victim data can\r\nbe fetched via API and pushed directly to the bots and messaging platforms in real-time, a functionality that\r\nrequires minimal technical skill to implement.\r\nThreat Actor Profiling\r\nActive\r\nsince\r\n2024\r\nReputation 0\r\nCurrent\r\nStatus\r\nACTIVE\r\nHistory\r\nThe threat actor has been active for at least two years and operates under the same username\r\nacross multiple underground forums. Recent leaks revealed the email\r\ntheghostorder01@gmail.com. The activity mainly advertising and selling custom phishing\r\n(“scampage”) source code targeting banks, cryptocurrency platforms, webmail providers,\r\ngovernment services, and e-commerce brands majorly targeting UK, Canada, Australia and\r\nUnited States.\r\nhttps://www.cloudsek.com/blog/pivoting-from-paytool-tracking-various-frauds-and-e-crime-targeting-canada\r\nPage 9 of 16\n\nThreat Actor Profiling\r\nRating Medium\r\nPayment\r\nMethods\r\nUSDT (TRC-20), Bitcoin (BTC)\r\nCrypto\r\nAssets\r\n(USDT)\r\nTWNCawkk3NbPZsY6mdnog8Sn7rS2vue95d\r\nCrypto\r\nAssets\r\n(Bitcoin)\r\nbc1qvhxkqujf347apsgy65ffykste0jy6txhgejhm048ukrys7cm6d3q2v4ze7\r\nImpact \u0026 Risk Assessment\r\nMass Data Compromise: Large-scale compromise of PII and financial data, including credit card details\r\nand Interac e-Transfer credentials, enabling account takeovers and direct financial fraud.\r\nErosion of Public Trust: Increased victim trust erosion in legitimate Canadian government and national\r\nbrand services (CRA, Canada Post, Air Canada, PayBC, ServiceOntario).\r\nSector Diversification: Expanded attack surface through diversification into multiple sectors (government\r\nservices, postal delivery, and airlines), which increases overall fraud exposure.\r\nReputational Risk: Potential regulatory and reputational risk for organizations whose brands and\r\ninfrastructure are abused in these high-fidelity phishing campaigns.\r\nMitigation\r\nEnforce proactive domain monitoring for typosquatting and keyword-based domains (e.g., ticket, portal,\r\ninfraction, booking, parcel) and initiate rapid takedown procedures.\r\nImplement DNS and web gateway controls to block newly registered domains, suspicious TLDs (.live,\r\n.info), and known PayTool-related IP ranges.\r\nStrengthen public awareness campaigns emphasizing that Canadian government agencies and airlines do\r\nnot request payments or sensitive data via SMS links.\r\nDeploy threat intelligence-driven detections to identify shared hosting patterns, favicon hashes, and page\r\ntitle reuse across phishing infrastructure.\r\nEncourage users to access services only through official bookmarked portals (e.g., canada.ca, PayBC,\r\nServiceOntario, aircanada.com) rather than through links in messages or ads.\r\nConclusion\r\nThis investigation highlights a significant evolution in phishing campaigns targeting the Canadian demographic.\r\nMoving beyond generic \"tax refund\" lures, threat actors are now leveraging highly localized and context-aware\r\nhttps://www.cloudsek.com/blog/pivoting-from-paytool-tracking-various-frauds-and-e-crime-targeting-canada\r\nPage 10 of 16\n\nthemes ranging from PayBC speeding fines and ServiceOntario renewals to Air Canada booking modifications.\r\nThe discovery of phishing kit developers on the dark web confirms that this is a commoditized operation, ensuring\r\na steady supply of fresh domains and updated templates.\r\nAs these attacks rely heavily on urgency (unpaid fines) and trust (government branding), organizations and users\r\nmust remain vigilant against domains utilizing irregular TLDs (e.g., .live, .info) and verify links directly through\r\nofficial provincial portals.\r\nDomain Registrar\r\nCreation\r\nDate\r\nUpdated\r\nDate\r\nExpiration\r\nDate\r\njustice-ticket-portal[.]com MAT BAO CORPORATION\r\n2025-12-\r\n14\r\n2025-12-\r\n14\r\n2026-12-14\r\npaybc-portal[.]live\r\nPDR Ltd. d/b/a\r\nPublicDomainRegistry.com\r\n2025-07-\r\n19\r\n2025-07-\r\n19\r\n2026-07-19\r\nbc-account[.]com\r\nPDR Ltd. d/b/a\r\nPublicDomainRegistry.com\r\n2024-05-\r\n20\r\n2024-05-\r\n20\r\n2025-05-20\r\npaytool-bc-2025[.]com\r\nHosting Concepts B.V. d/b/a\r\nRegistrar.eu\r\n2025-07-\r\n14\r\n2025-07-\r\n24\r\n2026-07-14\r\npaybconline-ticket[.]live\r\nPDR Ltd. d/b/a\r\nPublicDomainRegistry.com\r\n2025-06-\r\n29\r\n2025-11-\r\n24\r\n2026-06-29\r\nbc-infraction[.]com\r\nNICENIC INTERNATIONAL\r\nGROUP CO., LIMITED\r\n2025-10-\r\n19\r\n2025-10-\r\n27\r\n2026-10-19\r\nvancouver-infraction[.]com\r\nNICENIC INTERNATIONAL\r\nGROUP CO., LIMITED\r\n2025-10-\r\n20\r\n2025-10-\r\n22\r\n2026-10-20\r\nontarioticketpay[.]live\r\nPDR Ltd. d/b/a\r\nPublicDomainRegistry.com\r\n2025-07-\r\n09\r\n2025-11-\r\n24\r\n2026-07-09\r\nontario-paytool-2025[.]com\r\nHosting Concepts B.V. d/b/a\r\nRegistrar.eu\r\n2025-07-\r\n09\r\n2025-07-\r\n27\r\n2026-07-09\r\nserviceon-ticket[.]live\r\nPDR Ltd. d/b/a\r\nPublicDomainRegistry.com\r\n2025-06-\r\n29\r\n2025-07-\r\n04\r\n2026-06-29\r\noverdueticketinfraction[.]info NameSilo, LLC\r\n2025-08-\r\n07\r\n2025-10-\r\n21\r\n2026-08-07\r\nville-montreal-pay[.]com\r\nHosting Concepts B.V. d/b/a\r\nRegistrar.eu\r\n2025-07-\r\n06\r\n2025-07-\r\n24\r\n2026-07-06\r\nhttps://www.cloudsek.com/blog/pivoting-from-paytool-tracking-various-frauds-and-e-crime-targeting-canada\r\nPage 11 of 16\n\nDomain Registrar\r\nCreation\r\nDate\r\nUpdated\r\nDate\r\nExpiration\r\nDate\r\namende-enligne-qc[.]com\r\nHosting Concepts B.V. d/b/a\r\nRegistrar.eu\r\n2025-07-\r\n05\r\n2025-07-\r\n24\r\n2026-07-05\r\nville-montreal-ticket[.]live\r\nPDR Ltd. d/b/a\r\nPublicDomainRegistry.com\r\n2025-06-\r\n22\r\n2025-11-\r\n24\r\n2026-06-22\r\na25pont-laval[.]com\r\nNICENIC INTERNATIONAL\r\nGROUP CO., LIMITED\r\n2025-10-\r\n21\r\n2025-10-\r\n24\r\n2026-10-21\r\npaytool-ab-2025[.]com\r\nHosting Concepts B.V. d/b/a\r\nRegistrar.eu\r\n2025-07-\r\n14\r\n2025-07-\r\n24\r\n2026-07-14\r\nserviceab-ticket[.]live\r\nPDR Ltd. d/b/a\r\nPublicDomainRegistry.com\r\n2025-06-\r\n29\r\n2025-07-\r\n11\r\n2026-06-29\r\nab-speed[.]com\r\nNICENIC INTERNATIONAL\r\nGROUP CO., LIMITED\r\n2025-10-\r\n16\r\n2025-10-\r\n20\r\n2026-10-16\r\nabmarketworks[.]com DYNADOT LLC\r\n2003-05-\r\n18\r\n2025-06-\r\n27\r\n2026-05-18\r\noutel[.]abmarketworks[.]com Dynadot Inc\r\n2003-05-\r\n18\r\n2025-06-\r\n27\r\n2026-05-18\r\nparking-portal[.]live\r\nPDR Ltd. d/b/a\r\nPublicDomainRegistry.com\r\n2025-07-\r\n09\r\n2025-07-\r\n14\r\n2026-07-09\r\nunpaid-ticket-ca[.]live\r\nPDR Ltd. d/b/a\r\nPublicDomainRegistry.com\r\n2025-06-\r\n26\r\n2025-11-\r\n24\r\n2026-06-26\r\nparking-fines[.]com OwnRegistrar, Inc.\r\n2025-12-\r\n16\r\n2025-12-\r\n20\r\n2026-12-16\r\nspeedfines[.]com OwnRegistrar, Inc.\r\n2025-12-\r\n08\r\n2025-12-\r\n15\r\n2026-12-08\r\npaytoll-canada[.]com TUCOWS DOMAINS, INC.\r\n2025-07-\r\n03\r\n2025-07-\r\n09\r\n2026-07-03\r\nquickplate-check[.]com OwnRegistrar, Inc.\r\n2025-06-\r\n29\r\n2025-06-\r\n29\r\n2026-06-29\r\nticket-search-portal[.]com MAT BAO CORPORATION\r\n2025-11-\r\n29\r\n2025-12-\r\n09\r\n2026-11-29\r\nhttps://www.cloudsek.com/blog/pivoting-from-paytool-tracking-various-frauds-and-e-crime-targeting-canada\r\nPage 12 of 16\n\nDomain Registrar\r\nCreation\r\nDate\r\nUpdated\r\nDate\r\nExpiration\r\nDate\r\nsearch-ticket-portal[.]com MAT BAO CORPORATION\r\n2025-11-\r\n29\r\n2025-12-\r\n09\r\n2026-11-29\r\nticket-search-violation[.]com MAT BAO CORPORATION\r\n2025-11-\r\n29\r\n2025-12-\r\n09\r\n2026-11-29\r\nticket-search-violations[.]com MAT BAO CORPORATION\r\n2025-11-\r\n29\r\n2025-12-\r\n09\r\n2026-11-29\r\nticket-portal-search[.]com MAT BAO CORPORATION\r\n2025-11-\r\n29\r\n2025-12-\r\n09\r\n2026-11-29\r\nsearch-portal-ticket[.]com MAT BAO CORPORATION\r\n2025-11-\r\n29\r\n2025-12-\r\n09\r\n2026-11-29\r\nticket-portal-infractions[.]com MAT BAO CORPORATION\r\n2025-11-\r\n29\r\n2025-12-\r\n09\r\n2026-11-29\r\nticket-portal-infraction[.]com MAT BAO CORPORATION\r\n2025-11-\r\n29\r\n2025-12-\r\n09\r\n2026-11-29\r\nticket-portal-violations[.]com MAT BAO CORPORATION\r\n2025-11-\r\n29\r\n2025-12-\r\n09\r\n2026-11-29\r\nticket-portal-violation[.]com MAT BAO CORPORATION\r\n2025-11-\r\n29\r\n2025-12-\r\n09\r\n2026-11-29\r\nmy-traffic-ticket-portal[.]com Global Domain Group LLC\r\n2025-09-\r\n23\r\n2025-12-\r\n12\r\n2026-09-23\r\nmy-traffic-tickets-portal[.]com Global Domain Group LLC\r\n2025-10-\r\n22\r\n2025-10-\r\n30\r\n2026-10-22\r\nmy-traffics-citations[.]com Dominet (HK) Limited\r\n2025-10-\r\n28\r\n2025-11-\r\n04\r\n2026-10-28\r\nmy-traffics-citation[.]com Dominet (HK) Limited\r\n2025-10-\r\n28\r\n2025-11-\r\n04\r\n2026-10-28\r\nmy-traffic-citations[.]com Dominet (HK) Limited\r\n2025-10-\r\n28\r\n2025-11-\r\n04\r\n2026-10-28\r\nmy-traffic-citation[.]com Dominet (HK) Limited\r\n2025-10-\r\n28\r\n2025-11-\r\n04\r\n2026-10-28\r\nhttps://www.cloudsek.com/blog/pivoting-from-paytool-tracking-various-frauds-and-e-crime-targeting-canada\r\nPage 13 of 16\n\nDomain Registrar\r\nCreation\r\nDate\r\nUpdated\r\nDate\r\nExpiration\r\nDate\r\nmy-traffic-violations[.]com Global Domain Group LLC\r\n2025-10-\r\n23\r\n2025-10-\r\n30\r\n2026-10-23\r\nmy-traffic-violation[.]com Dominet (HK) Limited\r\n2025-10-\r\n22\r\n2025-11-\r\n02\r\n2026-10-22\r\nmy-traffic-offence[.]com Global Domain Group LLC\r\n2025-10-\r\n24\r\n2025-10-\r\n30\r\n2026-10-24\r\npostcan-track-elment[.]live\r\nPDR Ltd. d/b/a\r\nPublicDomainRegistry.com\r\n2025-06-\r\n18\r\n2025-11-\r\n24\r\n2026-06-18\r\nhandlingpostecan1[.]com\r\nPDR Ltd. d/b/a\r\nPublicDomainRegistry.com\r\n2025-07-\r\n24\r\n2025-09-\r\n07\r\n2026-07-24\r\nwww[.]handlingpostecan1[.]com\r\nPDR Ltd. d/b/a\r\nPublicDomainRegistry.com\r\n2025-07-\r\n24\r\n2025-09-\r\n07\r\n2026-07-24\r\nredeliverparcel[.]info\r\nPDR Ltd. d/b/a\r\nPublicDomainRegistry.com\r\n2025-09-\r\n18\r\n2025-09-\r\n27\r\n2026-09-18\r\ncapost[.]redeliverparcel[.]info -\r\n2025-09-\r\n18\r\n2025-09-\r\n18\r\n2025-09-16\r\nhandlingxpress[.]info\r\nPDR Ltd. d/b/a\r\nPublicDomainRegistry.com\r\n2025-09-\r\n13\r\n2025-09-\r\n18\r\n2026-09-13\r\ncapost[.]handlingxpress[.]info -\r\n2025-09-\r\n13\r\n2025-09-\r\n13\r\n2026-09-13\r\nhandlingparcel[.]info NameSilo, LLC\r\n2025-09-\r\n07\r\n2025-10-\r\n21\r\n2026-09-07\r\ncanpost[.]handlingparcel[.]info -\r\n2025-09-\r\n07\r\n2025-09-\r\n07\r\n2026-09-07\r\naircanda-booking[.]com NAMECHEAP INC\r\n2025-08-\r\n06\r\n2025-08-\r\n06\r\n2026-08-06\r\nair-canaada-booking[.]com NAMECHEAP INC\r\n2025-11-\r\n03\r\n2025-11-\r\n04\r\n2026-11-03\r\nairscanada-booking[.]com NAMECHEAP INC\r\n2025-11-\r\n03\r\n2025-11-\r\n04\r\n2026-11-03\r\nhttps://www.cloudsek.com/blog/pivoting-from-paytool-tracking-various-frauds-and-e-crime-targeting-canada\r\nPage 14 of 16\n\nIP Addresses\r\n45.156.87.145    \r\n45.156.87.131     \r\n45.156.87.143     \r\n45.156.87.213     \r\n198.23.156.130    \r\n162.243.100.252   \r\n192.109.138.183   \r\n209.141.50.110    \r\n3.99.171.190\r\n15.223.72.181\r\n35.183.85.238\r\n3.97.15.116\r\n35.183.132.238\r\n35.182.194.55\r\n3.96.139.96\r\n15.156.206.92\r\n3.97.9.55\r\n99.79.60.130\r\nReferences:\r\n*Intelligence source and information reliability - Wikipedia\r\n#Traffic Light Protocol - Wikipedia\r\nhttps://flare.io/learn/resources/blog/paytool-targets-canadians-traffic-scams/ \r\nSubscribe to CloudSEK Resources\r\nGet the latest industry news, threats and resources.\r\nhttps://www.cloudsek.com/blog/pivoting-from-paytool-tracking-various-frauds-and-e-crime-targeting-canada\r\nPage 15 of 16\n\nRelated Blogs\r\nPredict  Cyber Threats against your organization\r\nSource: https://www.cloudsek.com/blog/pivoting-from-paytool-tracking-various-frauds-and-e-crime-targeting-canada\r\nhttps://www.cloudsek.com/blog/pivoting-from-paytool-tracking-various-frauds-and-e-crime-targeting-canada\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cloudsek.com/blog/pivoting-from-paytool-tracking-various-frauds-and-e-crime-targeting-canada"
	],
	"report_names": [
		"pivoting-from-paytool-tracking-various-frauds-and-e-crime-targeting-canada"
	],
	"threat_actors": [
		{
			"id": "dd58c865-4f58-4218-a38e-82f75d7c9589",
			"created_at": "2026-02-11T02:00:03.944309Z",
			"updated_at": "2026-04-10T02:00:03.969964Z",
			"deleted_at": null,
			"main_name": "PayTool",
			"aliases": [],
			"source_name": "MISPGALAXY:PayTool",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434232,
	"ts_updated_at": 1775826761,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/de20240a54e4a4d8dcc1a3d4c7e5102726269ada.pdf",
		"text": "https://archive.orkl.eu/de20240a54e4a4d8dcc1a3d4c7e5102726269ada.txt",
		"img": "https://archive.orkl.eu/de20240a54e4a4d8dcc1a3d4c7e5102726269ada.jpg"
	}
}