Date: 02/02/2026
Severity: Medium
Summary
A phishing campaign is leveraging SEO poisoning to push fake traffic ticket search portals to the top of search engine results. The fraudulent sites impersonate the Government of Canada and multiple provincial agencies—including Ontario, Quebec, British Columbia, Alberta, Manitoba, and Saskatchewan—to lure victims into searching for and paying supposed outstanding traffic violations. This tactic exploits user trust in official government services to steal sensitive information and potentially facilitate financial fraud.
Indicators of Compromise (IOC) List
URLs/Domains | my-traffic-ticket-portal.com my-traffic-tickets-portal.com search-ticket-portal.com ticket-portal-infraction.com ticket-portal-infractions.com ticket-portal-search.com ticket-portal-violations.com ticket-search-portal.com ticket-search-violation.com ticket-search-violations.com search-portal-ticket.com ticket-portal-violation.com |
IP Address | 198.23.156.130 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "ticket-portal-violation.com" or siteurl like "ticket-portal-violation.com" or url like "ticket-portal-violation.com" or domainname like "my-traffic-tickets-portal.com" or siteurl like "my-traffic-tickets-portal.com" or url like "my-traffic-tickets-portal.com" or domainname like "ticket-portal-infraction.com" or siteurl like "ticket-portal-infraction.com" or url like "ticket-portal-infraction.com" or domainname like "ticket-search-violation.com" or siteurl like "ticket-search-violation.com" or url like "ticket-search-violation.com" or domainname like "ticket-portal-violations.com" or siteurl like "ticket-portal-violations.com" or url like "ticket-portal-violations.com" or domainname like "ticket-search-violations.com" or siteurl like "ticket-search-violations.com" or url like "ticket-search-violations.com" or domainname like "ticket-portal-infractions.com" or siteurl like "ticket-portal-infractions.com" or url like "ticket-portal-infractions.com" or domainname like "ticket-search-portal.com" or siteurl like "ticket-search-portal.com" or url like "ticket-search-portal.com" or domainname like "my-traffic-ticket-portal.com" or siteurl like "my-traffic-ticket-portal.com" or url like "my-traffic-ticket-portal.com" or domainname like "search-ticket-portal.com" or siteurl like "search-ticket-portal.com" or url like "search-ticket-portal.com" or domainname like "ticket-portal-search.com" or siteurl like "ticket-portal-search.com" or url like "ticket-portal-search.com" or domainname like "search-portal-ticket.com" or siteurl like "search-portal-ticket.com" or url like "search-portal-ticket.com" |
Detection Query 2 : | dstipaddress IN ("198.23.156.130") or srcipaddress IN ("198.23.156.130") |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-01-30-IOCs-for-traffic-ticket-search-portal-themed-phishing.txt