5 May, 2026

Protecting Financial Brand Integrity: The Carrefour Pass Phishing Decision

UDRP Cases

Carrefour SA successfully secured the transfer of three domain names—carrefourpasshelp.info, carrefourpassonline.info, and passcarrefourweb.info—after they were used to impersonate the company’s financial services division. The WIPO panelist ordered the transfer after evidence revealed one domain hosted a fraudulent login page designed to harvest credit card credentials from Carrefour Pass users.

Case Snapshot

Case Number D2025-3988
Complainant Carrefour SA
Respondent Julio QuertyLisa Donofrio
Disputed Domain
carrefourpasshelp.infocarrefourpassonline.infopasscarrefourweb.info
Threat Tactic Brand Plus Keyword
Decision Date 2025-12-03
Panelist Marina Perraki
OutcomeTransfer
Official Source https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2025-3988

Financial Credential Theft and High-Value Service Impersonation

The primary commercial risk identified in this dispute is the direct targeting of the ‘Carrefour Pass’ financial services sub-brand, specifically through the domain ‘carrefourpasshelp.info’. By hosting a fraudulent login page designed to mimic the official credit card management portal, the Respondents moved beyond general trademark infringement into active financial fraud. This tactic specifically exploits the high-trust relationship between a global retail leader and its banking customers. The collection of sensitive financial credentials creates an immediate liability for the Complainant, as any resulting unauthorized transactions or data breaches can lead to significant monetary losses for customers and potentially expose the brand to regulatory scrutiny or litigation regarding digital security and consumer protection.

The strategic use of descriptive keywords such as ‘help’, ‘online’, and ‘web’ alongside the CARREFOUR mark significantly increases the effectiveness of the phishing threat. These terms are specifically chosen to intercept customers who are actively seeking support or digital account access, making them more susceptible to deception than users who might encounter a generic brand domain. The coordinated registration of multiple domains within a four-day window (September 8 to September 12, 2025) suggests a structured campaign aimed at dominating the search or referral space for Carrefour’s financial service keywords. This cluster-based approach to registration broadens the threat landscape, providing the actors with backup infrastructure if a single domain is blacklisted or taken down.

Furthermore, the technical evolution of the disputed domains—transitioning from active phishing and hosting pages to ‘Connection timed out’ or ‘Error code 522’ messages—highlights a common evasive tactic used to avoid long-term detection. This volatility reinforces the business need for rapid-response monitoring and enforcement. Had the Complainant not secured forensic evidence of the fraudulent login page within three weeks of the initial registrations, proving active bad faith use might have been more challenging once the sites were altered. For brand owners, the reputational damage resulting from such schemes is often long-lasting; if customers lose confidence in the security of the ‘Carrefour Pass’ portal, they may abandon the service entirely, impacting the Complainant’s diversified revenue streams in the banking and insurance sectors.

Strategic Enforcement Timing and Evidence Capture

Carrefour SA’s primary success factor was the speed of its enforcement timeline, which allowed for the preservation of high-value evidence. By filing the UDRP complaint on September 30, 2025—within approximately 20 days of the domain registrations—the Complainant successfully memorialized the active phishing activity on ‘carrefourpasshelp.info’. This proactive collection was critical because the Respondent later allowed the domains to resolve to ‘Connection timed out’ Error 522 pages. Capturing the fraudulent login page while it was live provided undeniable proof of bad faith intent to harvest credit card credentials, preventing the Respondent from effectively claiming a lack of active use or ‘passive holding’ as a defense against the transfer.

The legal strategy also successfully utilized consolidation to address a coordinated impersonation effort targeting the ‘Carrefour Pass’ financial services brand. By joining claims against nominally different registrants Julio Querty and Lisa Donofrio, the Complainant demonstrated that the domains were under common control and part of a unified scheme. The Panel found the inclusion of descriptive terms such as ‘help’, ‘online’, and ‘web’ alongside the CARREFOUR mark particularly deceptive, as these terms reinforced the appearance of official banking support portals. This approach not only streamlined the legal process but also highlighted the specific intent to deceive high-value financial customers, which made the lack of legitimate interests and the presence of bad faith registration indisputable.

Practical Recommendations

  • Prioritize immediate forensic archiving of fraudulent web content within 48 hours of detection; in this case, the Complainant’s rapid evidence capture of the ‘carrefourpasshelp.info’ login page was critical because the site later resolved to a 522 error, which could have hindered the bad faith use argument.
  • Monitor specifically for ‘Brand + Sub-brand’ keyword combinations (e.g., ‘Carrefour Pass’) in new registrations, as attackers often target high-value financial service niches rather than the primary retail brand to harvest sensitive credit card credentials.
  • Utilize procedural consolidation to aggregate multiple domain names under a single UDRP filing when they share registration timelines (e.g., within the same 5-day window) and similar naming conventions, effectively countering coordinated impersonation campaigns while reducing legal costs.
  • Target ‘brand-plus-keyword’ variations that include administrative terms like ‘help’, ‘online’, or ‘web’, as these are strategically selected by bad actors to suggest an official support portal and increase the likelihood of successful credential harvesting.
  • Maintain an active registry of all authorized financial service domains to quickly distinguish between legitimate ‘Carrefour Pass’ properties and deceptive lookalikes, enabling the legal team to file a UDRP complaint within 20 days of a threat’s registration.

Frequently Asked Questions (FAQ)

Why were the domains ‘carrefourpasshelp.info’, ‘carrefourpassonline.info’, and ‘passcarrefourweb.info’ considered confusingly similar to Carrefour’s trademark?

The WIPO panel found that these domains incorporated the entirety of the globally recognized CARREFOUR trademark. By adding descriptive terms like ‘help’, ‘online’, and ‘web’ in relation to the ‘Carrefour Pass’ financial service, the domains created a false impression of being official support portals, which is a classic form of confusing similarity.

How did the Complainant establish bad faith when some of the domains were not actively hosting content?

Although some domains resolved to error pages or hosting placeholders at the time of the decision, the Complainant successfully documented that ‘carrefourpasshelp.info’ was previously used to host a fraudulent login page. This evidence of active phishing, combined with the Respondents’ failure to present any evidence of rights or legitimate interests, allowed the panel to infer bad faith registration and use.

What was the significance of the rapid filing timeline in this case?

Carrefour SA filed the UDRP complaint within approximately 20 days of the domain registrations. This rapid response allowed the Complainant to capture critical evidence of the phishing scheme before the Respondents took the site offline, preventing the domains from slipping into a ‘passive holding’ state that might have complicated the legal burden of proving bad faith.

Why was the consolidation of the complaint against different registrants permitted by the Panel?

The Panel accepted the consolidation because the disputed domains exhibited a coordinated pattern of impersonation targeting the ‘Carrefour Pass’ brand. The similarity in registration dates and the identical nature of the underlying scheme suggested the domains were under common control, allowing the case to proceed as a single, efficient enforcement action.

Detected an unauthorized brand-plus-keyword domain?

Cybercriminals often append terms like ‘help’, ‘online’, or ‘web’ to your trademark to build fraudulent login portals. If you’ve identified domains leveraging your brand to target your customers, we can assist with a formal UDRP eligibility assessment.

Assess brand threat

Contact us
We will find the best solution for your business

    Thank you for your request!
    We will contact you within 5 hours!
    Image
    This site uses cookies to improve your experience. By continuing, you agree to our Privacy Policy.

    Privacy settings

    When you visit websites, they may store or retrieve data in your browser. This storage is often required for basic website functionality. Storage may be used for marketing, analytics and site personalization purposes, such as storing your preferences. Privacy is important to us, so you can disable certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may affect the performance of the website.

    Manage settings


    Necessary

    Always active

    These cookies are necessary for the website to function and cannot be disabled in our systems. They are usually only set in response to actions you take that constitute a request for services, such as adjusting your privacy settings, logging in, or filling out forms. You can set your browser to block these cookies or notify you about them, but some parts of the site will not work. These cookies do not store any personal information.

    Marketing

    These elements are used to show you advertising that is more relevant to you and your interests. They can also be used to limit the number of ad views and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the permission of the site operator.

    Personalization

    These elements allow the website to remember your choices (such as your username, language or region you are in) and provide enhanced, more personalized features. For example, a website may provide you with local weather forecasts or traffic news by storing data about your current location.

    Analytics

    These elements help the website operator understand how their website works, how visitors interact with the site and whether there may be technical problems. This type of storage usually does not collect information that identifies the visitor.