In June 2020, the French retail company Darty warned the public about an online scam campaign aiming to steal the credit card information of users in France. Threat actors seemed to have relaunched the campaign to target consumers during Black Friday, a significant occasion for the retail industry since many stores usually hold sales events during this date. In addition, France has been under Covid-19 lockdown during the past few weeks, so many people opted to order goods online instead of going to physical stores. It should be noted that scams like these use the names of big companies without the organization’s consent.
Trend Micro internet monitoring caught the new campaign and revealed that it employs a more targeted social engineering technique: it uses each target’s actual home address and phone number.
Our investigation discovered that Darty wasn’t at fault; the incident was caused by cybercriminals who probably compromised a transport service company’s data. The latter part of this entry will include details of the investigation.
Malicious emails
Over the years, cybercriminals have employed countless social engineering schemes to steal credit card information. The threat actors behind this campaign send emails supposedly coming from a video streaming service site, state tax department, financial institution, or other establishments. Some pretend to be a big vendor from a particular country, which is what the threat actors in this campaign did by assuming the identity of Darty, a prominent retail company in France.
The email contains an order confirmation for the target’s supposed purchases.
Like some phishing emails, this message contains details about a fake order that is supposedly billed to the target. However, this scam is quite different from the ones we usually find since the billing address used in this email is the target’s actual home address (past or present).
The unsuspecting user who sees the email will most likely think that their credit card was used by someone to pay for the order, which amounts to nearly a thousand Euros (over USD1,000). They will then be enticed to click the red “Cancel my order” (“Annuler ma commande”) link to cancel the order they never made.
Phishing pages
Now, this is where the real fraud starts — clicking on the red cancel button leads the user to a phishing page that once again uses the Darty logo:
Upon clicking, the user will see that the page is already pre-filled with the target’s details: first name, last name, phone number, and physical address.
Once filled and after clicking the validate (“valider”) button, the page leads to the second page, which collects the user’s credit card information:
Once this information is sent to the cybercriminals, they can freely use the credit card information to steal money.
Where did cybercriminals get this information?
One might go for shortcuts and think Darty had their customer information somehow leaked or stolen. This is not true, and Darty had nothing to do with this fraud.
Trend Micro has good reasons to believe that the cybercriminals have compromised the customer database of another French company that offers car/truck rental services for individuals that need to relocate. The reason we are confident about it is the fact that one of our employees received an email from the said campaign in a private email address that was solely dedicated to messages from that company.
Having the database of a transport rental service company compromised would explain how the fraudsters were able to collect information like names, real physical addresses, and phone numbers. We have yet to determine how the cybercriminals got the database, and if they targeted additional email addresses coming from another source. Trend Micro has taken measures to have the hosting of the phishing pages taken down at the end of the weekend. We have also reached out to the concerned companies.
What should the affected users do?
Users who have sent their credit card information by filling these phishing pages should immediately call their banking company and have the credit card blocked to prevent abuse and illegal use of their credentials.
Defense against fraud
Cybercriminals remain relentless in their schemes that steal users’ credentials. We recommend adopting the following best practices against such threats:
- Be wary of emails and web pages that request credit card credentials. Double-check if the email address and website links truly belong to the company.
- To prevent compromise, never use the same password on different websites or online services. The use of applications such as the Trend Micro Password Manager can help manage passwords for different websites and services.
We also recommend Trend Micro™ Cloud App Security for protection against phishing and other email threats.
Indicators of Compromise
- 89.37.226[.].145
- www.dartyDarty.com.annulation-edn[.]pro
- www.dartyDarty.com.annulation-fdt[.].com
- www.dartyDarty.com.annulation-sa[.].com
- www.dartyDarty.com.annulation-td[.].com
- www.dartyDarty.com.domaine-td[.].com
- www.dartyDarty.com.ediarn[.].com
- www.dartyDarty.com.fort-dt[.].com
- www.dartyDarty.com.sive-st[.].com
- www.fnac.com.annulation-sde[.].com
- www.fnac.com.ordre-destim[.].com
- www.fnac.com.remboursement-commandes[.].press
- www.fnac.com.remboursement-commandes[.].website
- www.fnac.com.remboursement-sarl[.].site
- www.fr-marketplace[.].press
- www.fr-marketplace[.].store
- www.fr-marketplace[.].website
- www.remboursement-sarl[.].site
- www.sarl-marketplace[.].site