[SCAM ALERT 052] – Beck Taxi

20

Beck Taxi is the leading provider of taxicab services in Toronto, Ontario, Canada.

During our PreCrime internet scout of October 5th 2022 we identified suspicious markers across multiple vectors.


The Attack

Target:

Residents in Toronto, Canada

Possible threats:

  • Phishing campaign – luring customers to the site by sending them a message impersonating the taxi company with a link to the malicious domain.
  • Credential harvesting and financial gain – After luring users to the site, users will be directed to order a taxi where they need to enter their personal and financial details.

Technical Breakdown

Threat Indicators

  • Malicious domain impersonating Beck Taxi
  • DNS records of malicious domain different to Beck Taxi
  • Malicious site uses a different method to order a taxi
  • Newly registered site – September 30 2022
  • SSL certificate expires after three months

Detection and Threat Analysis

The malicious domain, nlgb-ibank-gr[.]net has been targeting Beck Taxi (becktaxi.com), an independent family owned taxi brokerage founded in 1967 and the largest in Toronto, Canada. The malicious domain was created September 30, 2022 and detected by bfore.ai October 4, 2022.

  • The website content completely duplicates the original website with small differences. The malicious domain includes links to the legitimate website for all links except for the ‘Order a Beck’ link. This link leads to a site where users need to enter their personal information, including pick up location, destination and payment type. On the legitimate website, users are guided through a web taxi booker where the users first needs to validate phone number. This indicates that the malicious domain is most likely attempting to steal the names and phone numbers, potentially also bank details of customers.
  • The DNS records are very different to the DNS records of the legitimate website. The legitimate domain is registered in Canada with a Canadian IP address and in the company’s name, whereas the malicious domain is registered in the Netherlands with an American IP address. See the details below.
  • The registered SSL certificate expires after three months indicating malicious intent.
  • The IP address has a some malicious traffic with an .EXE malicious files communicating with it in 2022.

DNS Records

How Bfore.Ai is protecting our customers

At Bfore.Ai, we work daily to ensure these phishing attacks get stopped before even reaching their targets. We are here to make your internet journey safer than it has ever been.

With more than 30K new malicious indicators per day we got you covered no matter where the attack comes from. Only 0.05% false positive rate, stop wasting time in false alerts chasing. By launching our PreCrime and PreEmpt technologies, we measure our anticipation from an attack starting, faster than attackers.

Accepting that the only defense is good detection, is accepting to be forever a victim. We believe in prevention more than response. Visit our website for more information !

Bfore.Ai’s recommendations

Every day, adversarial tactics become more collaborative, technologically advanced, and rapid – and at this rate, you simply can’t afford to wait for the next attack before you react. Here are some recommendations from our team :

  • Pay close attention to the URL
  • Check connection security indicators (the lock)
  • Read emails carefully
  • Look for trust seals

Appendix

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Bfore.Ai) is ultimately responsible for assessing and meeting Client’s own compliance responsibilities. This report does not constitute a guarantee or assurance of Client’s compliance with any law, regulation or standard.