Scams linked to the next Navigo Pass refund campaign are already circulating in mailboxes. Cybercriminals usurp the RATP to steal banking data.
Cybercriminals were not going to miss the new Navigo Pass reimbursement campaign. A scam email received by the editorial staff on July 3 usurps the RATP before the opening of compensation for subscribers affected by the strikes.
The email fully incorporates the aesthetics of the company and even adds colorful recommendations, previously used by the RATP during periods of demonstrations. The message indicates that the Navigo Pass refund campaign has been open since July 3 and invites the user to go to the linked platform to obtain the refund.
The user will then be redirected to an RATP clone site. His identifiers will first be requested. You can type any email and password, the platform will send you to another page where you will be asked for your details – name, address, number – and, unsurprisingly, your credit card number.
A well-disguised phishing site
The scam email was sent by a legitimate, probably hacked, email address of a Brazilian entrepreneur. “Boromir”, a cyber expert who prefers to remain anonymous, analyzed the site and indicates the domain name “www.iledefrance-mobilites.fr” was registered on July 3. The site is hosted in Russia on a server already used for other scams.
The cybercriminals tried to hide their malicious page since they used “punycode”. ” This technique makes it possible to integrate special characters into the URL, for example orange.fr becomes οrαngε.fr. The URL looks like orange.fr, but does not refer to the same place because in punycode, it corresponds to xn--rng-oxcw9c.fr. This will make “οrαngε.fr” appear in the phishing email to make believe that it will redirect the user to the official website. This serves to trick victims and avoid being detected by cybersecurity solutions », explains Boromir.
The site is already considered malicious by Google, but more will soon be created by cybercriminals.
Where to request Navigo compensation?
Before clicking on an alleged RATP email, check the sender’s address. The agency will normally contact you by ” [email protected] ” Or ” [email protected] “. It is also advisable to go directly to the site www.iledefrance-mobilites.fr for information. A page has also been put online by the RATP on the next compensation campaign which begins on July 5 and not on the 3rd as the cybercriminals claim.
Subscribe to Numerama on Google News to not miss any news!