5 May, 2026

Carrefour Defeats Coordinated Domain Portfolio Targeting Payment Brand

UDRP Cases

Carrefour SA secured the transfer of eight disputed domain names targeting its ‘CARREFOUR PASS’ financial services brand. A WIPO panel consolidated the cases after finding the domains were registered in bad faith under common control and held passively. The ruling successfully neutralizes potential corporate impersonation risks utilizing Spanish-language customer portal terms.

Case Snapshot

Case Number D2025-0245
Complainant Carrefour SA
Respondent packet emblazerbacklash alooCharles E PettyEmiliano Santiagokarl maxsian su
Disputed Domain
aviso-carrefourpass.infoavisos-carrefourpass.infocarrefourpassavisos.infocarrefourpass-cliente.comcarrefourpass-login.comcarrefourpass-soporte.comcarrefourpass-usuario.comes-carrefour-pass.com
Threat Tactic Brand Plus Keyword
Decision Date 2025-03-18
Panelist Tobias Malte Müller
OutcomeTransfer
Official Source https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2025-0245

Latent Phishing and Impersonation Risks in Targeted Payment Brand Portfolios

The coordinated registration of eight domain names combining the famous ‘CARREFOUR PASS’ trademark with Spanish-language administrative and operational terms represents a calculated corporate impersonation risk. By pairing the financial services brand with highly specific terms like ‘login’, ‘cliente’, ‘soporte’, ‘usuario’, and ‘aviso’, the undisclosed registrants constructed deceptive digital coordinates. Although the disputed domain names resolved to error pages or ‘under construction’ landing pages, their naming structures strongly imply official administrative or customer support functions. For a global retailer operating more than 14,000 stores, the existence of such unauthorized portals creates a latent threat of future phishing or credential-harvesting campaigns targeting Spanish-speaking clients.

The business threat of passive domain holding is magnified when the registrations directly target transactional or customer support interfaces. While Carrefour SA did not face active phishing sites on these specific domains, the risk of sudden deployment remains a continuous vulnerability. Coordinated multi-domain portfolios under common control can be easily activated to launch targeted attacks, which would directly impact customer trust. Consequently, brand owners must treat the registration of trademark-plus-keyword domains as active business threats requiring immediate legal intervention through the UDRP, rather than waiting for active commercial abuse to manifest.

Consolidation of Coordinated Registrants and the Jurisprudence of Passive Holding

Carrefour SA’s legal strategy succeeded by consolidating eight disputed domain names registered under multiple distinct respondent names into a single corporate complaint. In January 2025, registrar verification requests revealed different registrant names, yet the Complainant successfully argued that these respondents were operating under common control. By highlighting key structural connections—specifically the highly coordinated timing of the registrations in early 2025, the identical targeting of the CARREFOUR PASS mark, the shared Spanish administrative suffixes, and the choice of registrars—the Complainant overcame procedural hurdles. This consolidation prevented the need for multiple separate filings and established a unified pattern of bad faith registration.

The Complainant’s case was further strengthened by proving that the passive holding of these domains satisfied the bad faith criteria under established UDRP jurisprudence. Although the disputed domains only resolved to error or under construction pages, the Complainant demonstrated that its CARREFOUR and CARREFOUR PASS trademarks are so widely known globally that the respondents could not have registered the names without prior knowledge of the brand. Pairing these famous financial services trademarks with Spanish-language administrative and transactional terms like ‘soporte’, ‘cliente’, and ‘login’ created a continuous latent risk of future customer confusion. This combination allowed the panelist to conclude that the registrations carried an implied affiliation, justifying the transfer before active phishing or credential harvesting could occur.

Practical Recommendations

  • Consolidate multiple domain disputes into a single WIPO UDRP complaint when encountering coordinated registrations. Establish ‘common control’ by documenting shared registrants, matching creation dates (e.g., early 2025), identical registrars, and highly consistent naming patterns.
  • Target localized administrative and customer-facing terms (such as ‘soporte’, ‘cliente’, ‘aviso’, and ‘login’) in continuous domain monitoring programs, particularly for high-risk sub-brands or payment portals like ‘Carrefour Pass’.
  • Initiate UDRP complaints against passively held domains resolving to error or ‘under construction’ pages without waiting for active phishing or abuse to materialize. Under WIPO jurisprudence, the passive holding of a well-known trademark with critical administrative terms strongly indicates bad faith.
  • Establish a prompt verification process with registrars upon detecting domain registration spikes to quickly unmask hidden registrant details and verify common actors behind private or proxy registration services.

Frequently Asked Questions (FAQ)

Why were the domain names considered confusingly similar to the Carrefour trademarks?

The panel ruled that incorporating the trademark ‘CARREFOUR’ alongside terms like ‘login’, ‘soporte’, or ‘cliente’ did not mitigate confusion. It found that the addition of hyphens or descriptive words is of negligible significance and likely suggests an affiliation or sponsorship by Carrefour SA.

How did the complainant prove that the respondents lacked rights or legitimate interests?

The complainant established that the respondents had no trademark rights in the ‘CARREFOUR’ name, were not commonly known by the disputed domains as individuals or businesses, and were never authorized or licensed by Carrefour SA to use the trademarks.

What evidence supported the panel’s finding of bad faith registration?

The panel determined bad faith because the ‘CARREFOUR’ and ‘CARREFOUR PASS’ trademarks are globally well-known. It was deemed inconceivable that the respondents—who registered eight coordinated domains using Spanish-language service terms—were unaware of the complainant’s earlier rights.

What was the legal significance of the ‘passive holding’ tactic used by the respondents?

Despite the domains resolving only to error or ‘under construction’ pages, the panel found the registration and continued passive holding to be in bad faith. By consolidating multiple domains under common control, the panel concluded the tactic served to create latent risks of future corporate impersonation and phishing.

Found a brand-plus-keyword impersonation domain?

Coordinated registrations combining your brand with service-related terms like ‘login’ or ‘soporte’ create significant latent risks. Learn how to identify and neutralize these threats before they escalate into active impersonation.

Assess brand threat

Contact us
We will find the best solution for your business

    Thank you for your request!
    We will contact you within 5 hours!
    Image
    This site uses cookies to improve your experience. By continuing, you agree to our Privacy Policy.

    Privacy settings

    When you visit websites, they may store or retrieve data in your browser. This storage is often required for basic website functionality. Storage may be used for marketing, analytics and site personalization purposes, such as storing your preferences. Privacy is important to us, so you can disable certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may affect the performance of the website.

    Manage settings


    Necessary

    Always active

    These cookies are necessary for the website to function and cannot be disabled in our systems. They are usually only set in response to actions you take that constitute a request for services, such as adjusting your privacy settings, logging in, or filling out forms. You can set your browser to block these cookies or notify you about them, but some parts of the site will not work. These cookies do not store any personal information.

    Marketing

    These elements are used to show you advertising that is more relevant to you and your interests. They can also be used to limit the number of ad views and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the permission of the site operator.

    Personalization

    These elements allow the website to remember your choices (such as your username, language or region you are in) and provide enhanced, more personalized features. For example, a website may provide you with local weather forecasts or traffic news by storing data about your current location.

    Analytics

    These elements help the website operator understand how their website works, how visitors interact with the site and whether there may be technical problems. This type of storage usually does not collect information that identifies the visitor.