theghostorder01

theghostorder01 is an underground threat actor handle identified by CloudSEK as a seller of phishing kits associated with a broader set of interconnected fraud/phishing clusters targeting Canadian citizens. The activity is characterized by high-fidelity impersonation of Canadian government services and major national brands (Government of Canada/canada.ca-themed portals, provincial fine-payment services, Canada Post, and Air Canada) to harvest PII and financial data at scale. CloudSEK assesses the operation aligns with the “PayTool” phishing ecosystem, including SMS-based social engineering lures (e.g., unpaid fines/infractions) that drive victims to a multi-step fake “Government of Canada”/“Traffic Ticket Search Portal” experience. Victims select a province and are routed to province-specific phishing domains; the flow includes a bogus “validation” step (accepting nearly any input) before a fraudulent payment gateway designed to capture personal and financial information. Infrastructure is described as resilient, using bulk-generated keyword-rich domains, URL shorteners, shared hosting/IP infrastructure (including >70 canada.ca-impersonating sites on 198.23.156.130 and related infrastructure in the 45.156.87.x range), and a “long tail” of generic reserve/fallback domains to rotate when provincial domains are flagged or blacklisted. A distinct cluster targets Air Canada via SEO poisoning and typosquatting (rather than primarily SMS), using cloned branding assets and infrastructure indicators such as matching favicon hashes and replicated page titles. Monetization is described as phishing-as-a-service (PhaaS) advertised on underground/dark web forums. Within this ecosystem, theghostorder01 is specifically reported as actively selling specialized phishing kits that mimic processes such as Ontario driver’s license renewal and that advertise harvesting PII, Interac e-Transfer banking credentials (for immediate account takeover), and credit card data (including CVV).