Carrefour SA successfully secured the transfer of three domain names—carrefourpasshelp.info, carrefourpassonline.info, and passcarrefourweb.info—after they were used to impersonate the company’s financial services division. The WIPO panelist ordered the transfer after evidence revealed one domain hosted a fraudulent login page designed to harvest credit card credentials from Carrefour Pass users.
Case Snapshot
| Case Number | D2025-3988 |
|---|---|
| Complainant | Carrefour SA |
| Respondent | Julio QuertyLisa Donofrio |
| Disputed Domain | carrefourpasshelp.infocarrefourpassonline.infopasscarrefourweb.info |
| Threat Tactic | Brand Plus Keyword |
| Decision Date | 2025-12-03 |
| Panelist | Marina Perraki |
| Outcome | Transfer |
| Official Source | https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2025-3988 |
Financial Credential Theft and High-Value Service Impersonation
The primary commercial risk identified in this dispute is the direct targeting of the ‘Carrefour Pass’ financial services sub-brand, specifically through the domain ‘carrefourpasshelp.info’. By hosting a fraudulent login page designed to mimic the official credit card management portal, the Respondents moved beyond general trademark infringement into active financial fraud. This tactic specifically exploits the high-trust relationship between a global retail leader and its banking customers. The collection of sensitive financial credentials creates an immediate liability for the Complainant, as any resulting unauthorized transactions or data breaches can lead to significant monetary losses for customers and potentially expose the brand to regulatory scrutiny or litigation regarding digital security and consumer protection.
The strategic use of descriptive keywords such as ‘help’, ‘online’, and ‘web’ alongside the CARREFOUR mark significantly increases the effectiveness of the phishing threat. These terms are specifically chosen to intercept customers who are actively seeking support or digital account access, making them more susceptible to deception than users who might encounter a generic brand domain. The coordinated registration of multiple domains within a four-day window (September 8 to September 12, 2025) suggests a structured campaign aimed at dominating the search or referral space for Carrefour’s financial service keywords. This cluster-based approach to registration broadens the threat landscape, providing the actors with backup infrastructure if a single domain is blacklisted or taken down.
Furthermore, the technical evolution of the disputed domains—transitioning from active phishing and hosting pages to ‘Connection timed out’ or ‘Error code 522’ messages—highlights a common evasive tactic used to avoid long-term detection. This volatility reinforces the business need for rapid-response monitoring and enforcement. Had the Complainant not secured forensic evidence of the fraudulent login page within three weeks of the initial registrations, proving active bad faith use might have been more challenging once the sites were altered. For brand owners, the reputational damage resulting from such schemes is often long-lasting; if customers lose confidence in the security of the ‘Carrefour Pass’ portal, they may abandon the service entirely, impacting the Complainant’s diversified revenue streams in the banking and insurance sectors.
Legal Reasoning: Assessing Phishing Evidence and Common Control
The Panel concluded that the disputed domain names were confusingly similar to the CARREFOUR trademark, which has been registered internationally since 1968. By incorporating the trademark in its entirety alongside descriptive terms such as ‘pass,’ ‘help,’ ‘online,’ and ‘web,’ the Respondents created an environment for consumer confusion. The Panel found that the addition of these terms did not distinguish the domains from the Complainant’s brand; rather, they reinforced the deceptive impression that the websites were official portals for Carrefour’s banking and credit card services.
Regarding rights or legitimate interests, the Respondents failed to demonstrate any authorization to use the CARREFOUR mark or provide evidence of being commonly known by the disputed names. The Panel observed that the Respondents were not licensees of the Complainant and had not engaged in a bona fide offering of goods or services. The absence of a response from the nominal registrants allowed the Panel to infer that no legitimate interest existed, particularly as the primary use of at least one domain was to facilitate a fraudulent impersonation scheme designed for credential harvesting.
The finding of bad faith was primarily supported by the documented use of ‘carrefourpasshelp.info’ to host a fraudulent login page. This site was specifically structured to harvest credit card credentials from Carrefour Pass users, constituting clear evidence of an intent to disrupt the Complainant’s business and defraud its customers. Although the domains eventually resolved to ‘Error 522’ timeout pages or default hosting placeholders, the Panel determined that the initial phishing activity and the subsequent passive holding of the domains collectively established a pattern of bad faith registration and use.
A critical legal component of the decision was the consolidation of the complaint against multiple nominal registrants. The Panel accepted the Complainant’s argument that the different individuals listed—Julio Querty and Lisa Donofrio—were likely alter egos or under common control. This determination was justified by the overlapping registration dates between September 8 and September 12, 2025, the identical naming patterns targeting the Carrefour Pass sub-brand, and the unified technical behavior of the domains. Consolidation allowed for an efficient resolution of a coordinated attack against the Complainant’s financial services reputation.
Strategic Enforcement Timing and Evidence Capture
Carrefour SA’s primary success factor was the speed of its enforcement timeline, which allowed for the preservation of high-value evidence. By filing the UDRP complaint on September 30, 2025—within approximately 20 days of the domain registrations—the Complainant successfully memorialized the active phishing activity on ‘carrefourpasshelp.info’. This proactive collection was critical because the Respondent later allowed the domains to resolve to ‘Connection timed out’ Error 522 pages. Capturing the fraudulent login page while it was live provided undeniable proof of bad faith intent to harvest credit card credentials, preventing the Respondent from effectively claiming a lack of active use or ‘passive holding’ as a defense against the transfer.
The legal strategy also successfully utilized consolidation to address a coordinated impersonation effort targeting the ‘Carrefour Pass’ financial services brand. By joining claims against nominally different registrants Julio Querty and Lisa Donofrio, the Complainant demonstrated that the domains were under common control and part of a unified scheme. The Panel found the inclusion of descriptive terms such as ‘help’, ‘online’, and ‘web’ alongside the CARREFOUR mark particularly deceptive, as these terms reinforced the appearance of official banking support portals. This approach not only streamlined the legal process but also highlighted the specific intent to deceive high-value financial customers, which made the lack of legitimate interests and the presence of bad faith registration indisputable.
Practical Recommendations
- Prioritize immediate forensic archiving of fraudulent web content within 48 hours of detection; in this case, the Complainant’s rapid evidence capture of the ‘carrefourpasshelp.info’ login page was critical because the site later resolved to a 522 error, which could have hindered the bad faith use argument.
- Monitor specifically for ‘Brand + Sub-brand’ keyword combinations (e.g., ‘Carrefour Pass’) in new registrations, as attackers often target high-value financial service niches rather than the primary retail brand to harvest sensitive credit card credentials.
- Utilize procedural consolidation to aggregate multiple domain names under a single UDRP filing when they share registration timelines (e.g., within the same 5-day window) and similar naming conventions, effectively countering coordinated impersonation campaigns while reducing legal costs.
- Target ‘brand-plus-keyword’ variations that include administrative terms like ‘help’, ‘online’, or ‘web’, as these are strategically selected by bad actors to suggest an official support portal and increase the likelihood of successful credential harvesting.
- Maintain an active registry of all authorized financial service domains to quickly distinguish between legitimate ‘Carrefour Pass’ properties and deceptive lookalikes, enabling the legal team to file a UDRP complaint within 20 days of a threat’s registration.
Frequently Asked Questions (FAQ)
Why were the domains ‘carrefourpasshelp.info’, ‘carrefourpassonline.info’, and ‘passcarrefourweb.info’ considered confusingly similar to Carrefour’s trademark?
The WIPO panel found that these domains incorporated the entirety of the globally recognized CARREFOUR trademark. By adding descriptive terms like ‘help’, ‘online’, and ‘web’ in relation to the ‘Carrefour Pass’ financial service, the domains created a false impression of being official support portals, which is a classic form of confusing similarity.
How did the Complainant establish bad faith when some of the domains were not actively hosting content?
Although some domains resolved to error pages or hosting placeholders at the time of the decision, the Complainant successfully documented that ‘carrefourpasshelp.info’ was previously used to host a fraudulent login page. This evidence of active phishing, combined with the Respondents’ failure to present any evidence of rights or legitimate interests, allowed the panel to infer bad faith registration and use.
What was the significance of the rapid filing timeline in this case?
Carrefour SA filed the UDRP complaint within approximately 20 days of the domain registrations. This rapid response allowed the Complainant to capture critical evidence of the phishing scheme before the Respondents took the site offline, preventing the domains from slipping into a ‘passive holding’ state that might have complicated the legal burden of proving bad faith.
Why was the consolidation of the complaint against different registrants permitted by the Panel?
The Panel accepted the consolidation because the disputed domains exhibited a coordinated pattern of impersonation targeting the ‘Carrefour Pass’ brand. The similarity in registration dates and the identical nature of the underlying scheme suggested the domains were under common control, allowing the case to proceed as a single, efficient enforcement action.
Detected an unauthorized brand-plus-keyword domain?
Cybercriminals often append terms like ‘help’, ‘online’, or ‘web’ to your trademark to build fraudulent login portals. If you’ve identified domains leveraging your brand to target your customers, we can assist with a formal UDRP eligibility assessment.
This case note is for informational purposes only and is not legal advice.



