Fraud Strikes U.S. Travel Authorization Agency

Last year, the U.S. government passed a law making mandatory online registration for travel for all citizens from countries eligible for the Visa Waiver Program. The Visa Waiver Program is available to citizens from the European Union, but also to citizens from other countries such as Switzerland, Japan, South Korea, and Singapore.

The registration has to be made 72 hours prior of traveling into the United States. This registration can be made only through an online form, the Electronic System for Travel Authorization (ESTA), available at the official website of the Department of Homeland Security at https://esta.obp.dhs.gov. This registration is currently free. Once a traveler registers, it remains valid for two years, regardless of the amount of travels into the United States.

As part of the Tourism Promotion Act, from September 8, 2010, onward all visitors using the Visa Waiver Program will be charged US$14 to complete this immigration form. Out of this fee, $10 will be used for international campaigns to promote holiday travels and tourism in the United States, the other $4 is an administration fee.

We weren’t surprised that some people soon figured out how to make money from this, especially as the application and payment by credit card must be made online. We’ve seen similar fraud in relation to green card application scams in the past. McAfee Labs research has shown that both types of fraud are related, and it is likely that the ESTA fee scam is run by the same organizations as the green card scammers.

McAfee has also noticed that most search results for “ESTA,” “ESTA form,” or “ESTA online registration” lead to fraudulent websites, especially if the search terms are run in non-English languages. Even worse: Most sponsored ads are leading to fraudulent websites, too.

Examining these sites, we discovered three common types of fraud. The first type offers a basic service to fill out the form for somebody, but at extra costs ranging from $30-$250. These services are rather harmless, because users probably still get their online registration. The biggest risk here is the loss of personal information to third parties, which may result in spam emails or other types of unrequested contact. In worse cases, providing personal travel dates could end in burglary, as users provide their addresses and the information when their homes will be uninhabited.

More critical than these are sites that are primarily set up to gather personal information. This type of phishing is even worse that the common banking-related phishing: Rather than banking or credit card information, users are required to enter their date of birth, passport IDs, contact address, and other personal information, in addition to the questions that are mandatory for U.S. immigration, such as medical diseases, crime records, or information about espionage activities or war crimes. These sites are even constructed to grab the information of traveling family members as well.

The third type of fraudulent sites related to the ESTA registration offer application guides or forms for download. These download forms are simply malware. It is essential you not download anything from these sites. The ESTA form is a web-based application; no forms need to be downloaded.

What these sites have in common is that they pretend to look like official government websites. Some are even available in other languages such as Japanese, German, or French. One ESTA phishing site we examined is available in 12 languages. These sites simulate authenticity by using common icons or a “safe” governmental link somewhere on the page. Some include a long section with privacy and service-term disclaimers. It is ironic that they warn users to be careful of fraudulent websites stealing your private information or overcharging for the use of their services:

Warning! Applying through a third party website may not comply with ESTA regulations. Beware of fraudulent websites that collect your private information and claim to submit the application on your behalf. Applying for your own Travel Authorization is the only way to be 100% sure that your application was submitted properly. Travelers with an invalid ESTA Travel Authorization will be denied entry by U.S. Customs and Border Protection. Download the Application Guide below and submit your own ESTA application today.

In summary, the online registration is available only at the official site of the Department of Homeland security at https://esta.cbp.dhs.gov. This secure government website gives you all important information; it is even available in all 22 languages of the countries that qualify for the Visa Waiver Program. There is no need to use a third-party service for this immigration form. Every other site offering such a service is scam–charging extra, stealing personal information, or just spreading malware.