Active Scam Impersonating the Government of Alberta

TLP:CLEAR

Source: CyberAlberta Investigation

Summary

CyberAlberta Threat Intelligence has received multiple reports of a malicious domain impersonating the Government of Alberta, claiming to offer Canada Carbon Rebate (CCR) payments to illicit personally identifiable information (PII) from members of the public.

The threat actor is using this scam in an attempt to gather alberta.ca usernames, social security numbers, and mother’s maiden names. These details are almost certainly later leveraged in attempts to commit fraud. This scam has been observed being delivered on Facebook but could be leveraging other social media platforms also.

Figure 1 – Screenshot of the CCR scam observed on Facebook.

Threat Actor Infrastructure

The malicious domain used to host this scam albertagov[.]ca was recently created on June 3rd and currently resolves to IP address 47.239.216[.]183 owned by Alibaba US Technology (AS45102) and based in Hong Kong. Both the domain and IP address have low to no reports of previous malicious activity on open-source repositories.

The IP address also hosts the following Alberta-themed domains which are/were likely used for the same fraudulent style activity advertising fake CCR payments:

myalbertaccr[.]ca
ccr-alberta[.]info

Recommendations

Users are strongly encouraged to be aware of this scam and others like it, to not engage with them, and to report any observations of future similar scams to the owners of the platform it is found on.
If any users have engaged with this scam and have submitted the requested PII, they should:
Contact their banks only if they have reason to believe their financial information has also been compromised
If users can no longer access their alberta.ca accounts using their passwords, it could be a sign of account takeover. In this case, it is once again strongly advised to contact alberta.ca by using their urgent issues hotline (844) 643‐2789.
Network defenders are advised to block the indicators of compromise (IOCs) listed below, review logs for signs of user impact related to this scam, and engage with affected users to ascertain the context of the activity and enhance awareness.

Indicators of Compromise

Indicator	Further Detail
47.239.216[.]183	Alibaba US Technology (AS45102)
albertagov[.]ca	Reported domain
affordabilityactionplan.albertagov[.]ca
myalbertaccr[.]ca
ccr-alberta[.]info

Source link

What's Hot

JetBrains security advisory (AV26-364) – Canadian Centre for Cyber Security

Delta Electronics ASDA-Soft | CISA

The Destroyed Remnants of a Lost World Are Falling to Earth, Scientists Discover

JetBrains security advisory (AV26-364) – Canadian Centre for Cyber Security

Delta Electronics ASDA-Soft | CISA

ZDI-26-287: DriveLock Directory Traversal Information Disclosure Vulnerability

Global Takedown of Massive IoT Botnets Halts Record-Breaking Cyberattacks

The Grandparent Scam: How AI Voice Technology Makes This Old Con Deadlier Than Ever

Catchy & Intriguing

Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

Most Popular

Global Takedown of Massive IoT Botnets Halts Record-Breaking Cyberattacks

The Grandparent Scam: How AI Voice Technology Makes This Old Con Deadlier Than Ever

Catchy & Intriguing

Our Picks

JetBrains security advisory (AV26-364) – Canadian Centre for Cyber Security

Delta Electronics ASDA-Soft | CISA

The Destroyed Remnants of a Lost World Are Falling to Earth, Scientists Discover

Subscribe to Updates

What's Hot

Active Scam Impersonating the Government of Alberta