Scam SMS messages display the sender name of real companies. The fault lies in a lack of control in message marketing campaigns.
An SMS phishing campaign usurping Île-de-France Mobilités has been underway since October 2023. These false SMS alerts are sent by “NAVIGO” (the Ile-de-France transport pass) and invite users to take advantage of ‘a refund of 37.10 euros. A campaign by Île-de-France Mobilités, the establishment in charge of metros, trains and buses in the region, in April, made it possible to recover 37.60 euros following recurring delays. A link is integrated and directs to a clone site of the transport service.
The fraudulent platform requests several pieces of information from the user before inviting them to enter their banking details, which will obviously be sent to the hackers. We listed four Île-de-France Mobilités clone sites during the month of October. One of them is still online on October 24 and uses anti-bot protection from the Cloudflare service to avoid being detected by security devices.
If this phishing device is quite classic, we tried to understand why the scam SMS displayed “ NAVIGO » as the issuer, a process which gives more legitimacy to this scam.
Marketing campaigns without identity verification
One of the text messages received by our team contained a generic number to stop receiving these messages. This option is generally offered to block the receipt of advertising SMS messages. Going up the message, we come across High Connexion, a French company that is both an operator and aggregator of content for marketing campaigns. Numerama contacted this company, asking about the links with this wave of phishing.
High Connection is defined as “ a communication pipe » between a first aggregator and the major telephone operators (Orange, SFR, Bouygues). She explains to us that she is responsible for sending marketing campaigns by SMS to the main Telecom groups.
Cybercriminals turned to a first, low-brow aggregator based abroad to promote their phishing message. They order a campaign of “ marketing ”, containing the fraudulent link and pretending to be Navigo. Hackers provide a list of numbers to the aggregator, likely recovered from data leaks.
This foreign company uses the technical solutions of High Connexion to distribute the campaign to French operators. High Connexion refuses to give us the name of this customer who asks to promote SMS on French soil. A simple statement is enough for cybercriminals to confirm that it is “NAVIGO”.
Orange, SFR, Bouygues and Free receive this campaign and end up sending thousands of SMS with “NAVIGO” as the transmitter, without any member of the chain concretely controlling whether it is indeed the transport establishment Parisians.
A number to report SMS messages
Contacted by Numerama, af2m, a grouping of all French operators, explains to us that the OADC – an abbreviation to distinguish messages with the name of the company as transmitter – “NAVIGO” began on September 14. “ This case of smishing (identity theft via SMS) should be processed in the coming days » assures us the spokesperson for the association. He reminds that fraudulent numbers can be reported to 33700.
“ OADCs deemed potentially sensitive have been subject to a blacklisting and whitelisting system for almost 10 months », specifies af2m. “ Smishing represents 0.5% of reported numbers. Even if this number is relatively low, af2m and its members work to reduce the risks of smishing as much as possible, while being aware that zero risk, unfortunately, does not exist. », Adds the spokesperson. Furthermore, the lack of reporting does not mean that there are no victims.
Alexandre Archambault, lawyer specializing in digital law, tells us that “ operators can only intervene upon notification to 33700 to block a message. They have no obligation to control the content or the issuer. Cybercriminals also go abroad and through aggregators to avoid technical control systems. »
All that remains for the general public is to exercise caution and report to avoid falling into the trap. For example, remember that Île-de-France Mobilités will surely indicate on its site that a reimbursement campaign is in progress, and not by an SMS ending with happy “ enjoy! “.
Do you want to know everything about the mobility of tomorrow, from electric cars to e-bikes? Subscribe now to our Watt Else newsletter!