5 May, 2026

How Unauthorized Domain Registrations Threaten Retail Financial Portals in South America

UDRP Cases

Carrefour SA and its subsidiary Atacadão successfully secured the transfer of the domain name <portalcartaoatacadao.sbs> in a WIPO UDRP proceeding. The sole panelist ruled that the domain, which combines the distinctive ‘ATACADAO’ trademark with Portuguese terms for ‘portal’ and ‘card,’ was registered in bad faith to mimic the Complainants’ branded credit card services. Despite the domain resolving to an inactive error page, the panel ordered its transfer to the Complainants.

Case Snapshot

Case Number D2025-4326
Complainant Atacadão – Distribuição, Comércio E Indústria LTDA.Carrefour SA
Respondent gabriel silva, Carpau Agropecuaria LTDA
Disputed Domain
portalcartaoatacadao.sbs
Threat Tactic Brand Plus Keyword
Decision Date 2025-12-23
Panelist Marcello do Nascimento
OutcomeTransfer
Official Source https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2025-4326

Threats to Regional Consumer Trust and Financial Service Expansion

The registration of the disputed domain name <portalcartaoatacadao.sbs> poses a direct threat to the regional digital expansion and commercial reputation of Atacadão and its parent company, Carrefour SA. By pairing the highly distinctive ATACADÃO trademark with the Portuguese words ‘portal’ and ‘cartao’ (card), the domain directly targets the complainants’ retail consumer base in South America, specifically those looking for online credit card and financial portal services. This brand-plus-keyword tactic creates an immediate risk of customer confusion, as users looking for legitimate credit card account access could easily mistake the unauthorized domain for an official portal or endorsed service, thereby disrupting the brand’s control over its digital customer touchpoints.

Although the domain resolved to an inactive error page at the time of the dispute and did not have documented history of active phishing or financial data breaches, its passive holding represents a latent operational threat. For retail groups expanding into digital financial services, inactive domains containing highly targeted terms like ‘portal’ and ‘cartao’ function as pre-positioned infrastructure that can be activated instantly for fraudulent activities, such as credential harvesting or corporate impersonation. The presence of such domains forces brand owners to bear significant defensive monitoring costs to prevent these addresses from being converted into live phishing nodes that could compromise customer credentials.

Furthermore, the choice of the generic Top-Level Domain ‘.sbs’ illustrates how bad-faith actors exploit alternative gTLDs to bypass traditional brand monitoring systems focused on country-code or legacy extensions. This tactic dilutes the exclusive trademark rights of Carrefour and Atacadão by dispersing branded keywords across newer registry spaces. For trademark professionals, this case demonstrates that bad-faith registration persists even without active content, making proactive enforcement and prompt administrative filings necessary to secure vulnerable customer-facing terms before they are weaponized.

Analyzing the Brand-Plus-Keyword Strategy and Passive Bad Faith in the Atacadão Dispute

The Complainants’ enforcement strategy succeeded by demonstrating that the addition of descriptive Portuguese terms directly targeted their specific retail and financial operations. Rather than treating "portal" and "cartao" as generic additions, the Complainants established that these terms specifically mimicked their established "Cartão Atacadão" credit card and customer portal services. By pairing their highly distinctive ATACADÃO trademark—which holds a Brazilian registration dating back to October 10, 1978—with these service-specific terms, the Complainants convinced the Panel that the domain <portalcartaoatacadao.sbs> was deliberately engineered to foster a false association with their brand. This framework allowed the Complainants to successfully argue that the omission of Portuguese diacritics and the inclusion of the ".sbs" gTLD were irrelevant to the confusing similarity analysis.

Furthermore, the Complainants overcame the challenge of passive holding by leveraging the well-known status of the ATACADÃO mark, particularly within Brazil. Although the disputed domain name resolved to an inactive error page and there was no evidence of active phishing or consumer financial losses, the Complainants successfully argued that bad faith was present from inception. The targeted pairing of a well-known retail trademark with consumer financial terms made it highly implausible that the Respondent, gabriel silva of Carpau Agropecuaria LTDA, registered the domain without prior knowledge of the Complainants. This legal positioning demonstrates that brand owners can successfully secure domain transfers in newer generic Top-Level Domains even in the absence of active website deployment, provided they can prove the registration directly targets highly distinctive brand identifiers.

Practical Recommendations

  • Implement proactive domain monitoring that tracks core trademarks combined with localized commercial keywords (e.g., ‘portal’, ‘cartao’, ‘credit’) across emerging generic Top-Level Domains (gTLDs) like ‘.sbs’ to preemptively flag brand-plus-keyword abuses.
  • Do not delay enforcement against inactive sites; leverage the passive holding doctrine in UDRP filings when a domain incorporates a highly distinctive trademark paired with terms that directly reference your proprietary customer services.
  • Document and present clear evidence of the direct link between the respondent’s chosen descriptive terms (such as ‘cartao’ for retail credit cards) and your actual consumer-facing products to prove bad faith registration and targeting.
  • Incorporate localized, industry-specific terms (such as Portuguese financial and portal keywords) into your brand protection team’s defensive registration matrices when expanding regional digital services.

Frequently Asked Questions (FAQ)

Why was the domain <portalcartaoatacadao.sbs> considered confusingly similar to the ATACADÃO trademark?

The Panel determined that the domain incorporates the well-known ATACADÃO mark in its entirety. The addition of the Portuguese terms ‘portal’ and ‘cartao’ (card) reinforces the likelihood of confusion, as these words explicitly reference the Complainants’ legitimate customer portal and credit card services.

How did the Panel establish bad faith given that the disputed domain was inactive?

Under the UDRP, passive holding does not preclude a finding of bad faith. The Panel concluded that the deliberate pairing of a globally recognized trademark with highly specific, descriptive terms related to the brand’s financial services served no legitimate purpose and was clearly intended to target the Complainants’ business.

What evidence confirmed that the Respondent lacked rights or legitimate interests in the domain?

The Complainants demonstrated that the Respondent is not commonly known by the name ‘portalcartaoatacadao’ and has no business, contractual, or authorized relationship with Atacadão or Carrefour. Furthermore, the Respondent provided no evidence of any bona fide offering of goods or services associated with the domain.

What business risk does this case highlight regarding brand-plus-keyword domains?

This case illustrates the risk of bad actors using ‘brand-plus-keyword’ tactics to mimic corporate portals. Even if a domain is currently inactive, such registrations facilitate potential future phishing or financial credential harvesting, posing a significant security threat to retail customers and requiring active monitoring of branded terms across various gTLDs.

Is your brand being targeted by deceptive ‘brand + keyword’ domains?

The unauthorized pairing of your trademark with service terms like ‘portal’ or ‘cartao’ creates significant confusion for your customers and threatens your digital infrastructure. Learn how to identify and recover these high-risk impersonation domains before they are weaponized.

Assess brand threat

Contact us
We will find the best solution for your business

    Thank you for your request!
    We will contact you within 5 hours!
    Image
    This site uses cookies to improve your experience. By continuing, you agree to our Privacy Policy.

    Privacy settings

    When you visit websites, they may store or retrieve data in your browser. This storage is often required for basic website functionality. Storage may be used for marketing, analytics and site personalization purposes, such as storing your preferences. Privacy is important to us, so you can disable certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may affect the performance of the website.

    Manage settings


    Necessary

    Always active

    These cookies are necessary for the website to function and cannot be disabled in our systems. They are usually only set in response to actions you take that constitute a request for services, such as adjusting your privacy settings, logging in, or filling out forms. You can set your browser to block these cookies or notify you about them, but some parts of the site will not work. These cookies do not store any personal information.

    Marketing

    These elements are used to show you advertising that is more relevant to you and your interests. They can also be used to limit the number of ad views and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the permission of the site operator.

    Personalization

    These elements allow the website to remember your choices (such as your username, language or region you are in) and provide enhanced, more personalized features. For example, a website may provide you with local weather forecasts or traffic news by storing data about your current location.

    Analytics

    These elements help the website operator understand how their website works, how visitors interact with the site and whether there may be technical problems. This type of storage usually does not collect information that identifies the visitor.