Orange fake refund: don’t be tricked by this very convincing phishing

by Kelvin
Orange fake refund: don't be tricked by this very convincing phishing

A phishing campaign by SMS pretext for a refund to steal your personal data and credit card information.

“”. Fortunately, the hackers forgot the “Γ©” in this phishing SMS which was still circulating on August 11th. Because apart from this initial error, the scam is particularly well put together, and more than one person could be trapped.

Β Β 

Here is the SMS received by the phishing targets. This first contact is the weak link in the chain used for the scam. // Source: @ Odrilow /Twitter

The criminals try to get their targets to enter their personal information (first name, last name, phone number and address) then their credit card information on a site that looks like Orange. But instead of going on the operator’s servers, this data will end up with hackers, who can then exploit it for their own profit or resell it on specialized forums.

On August 4, Cyberguerre had identified a similar phishing campaign in the name of SFR. The hackers used the mafacturesfr site[.]fr and were already claiming a false reimbursement following technical problems during containment. A few days later, a campaign to steal Bouygues Telecom accounts exploited the same scenario. It is therefore without too much surprise that Orange is now targeted.

An almost identical copy of the Orange site

The first strength of this phishing is to rely on a credible site name: a “.fr”, which applies the HTTPS security protocol, and composed of two logical words “invoice” and “Orange”. The identity used (name, first name, address) used to buy the domain name is the same as that used to buy “mafacturesfr.fr”, which suggests that the same person declined his trap for the two operators.

Then, when we click on the link, we arrive on a page extremely well copied on the identification page of the official site of the operator, orange.fr.

Orange fake refund: don't be tricked by this very convincing phishing

On the left, the phishing page, on the right, the official Orange login area. The phishing footer is also the same as on the official website. // Source: Numerama screen caps.

Rare detail for a phishing, all the links on the page work as on the Orange site. The phishing page therefore refers to… the operator’s site. Usually, phishing sites just display fake links, or assign the URL of the malicious page to all links. Here, even the drop-down menu in the corner of the screen works fine! Enough to maintain the illusion that the site belongs to Orange.

The fake page is presented under the name “customer area”. Just below, an insert β€œβ€ explains, in perfect French, that β€œβ€. Luckily, we are eligible for the device, and the fake Orange claims that we will recover the significant sum of 22.90 euros. All we need to do is fill out a form: last name, first name, date of birth, address, postal code, city, telephone number.

We click on “continue”. The hackers have already succeeded: they will be able to resell our personal data. But they still want more.

Phone scams for phishing victims?

Another page opens and asks us for our credit card details in order to “”. Never will a legitimate service ask for your credit card information for a refund. But be it, we do – with a wrong number.

A third page appears and tells us “” The hackers now have our bank card number and can carry out online transactions, depending on the level of protection offered by our bank (well, if our bank card was not fake).

The pirates don’t stop there. They explain to us that in order to guarantee a maximum level of security for transactions, the Certissim company would contact us by email or phone. This maneuver opens the door for a possible telephone scam, for which a criminal will only have to present himself as Certissim.

Orange fake refund: don't be tricked by this very convincing phishing

After stealing the data, hackers go even further. // Source: Numerama screenshot.

Except that one detail is wrong: Certissim is a credit card fraud detection service that has existed. But its parent company, Fia-Net, was acquired in 2016 by Oney. Consequently, Certissim no longer exists under this name, and its site links to that of Approov-Decision, an equivalent service, owned by Oney.

This detail from another time in phishing suggests the thieves used an old kit to build their scam. At least this anachronism could make some victims realize that they have fallen into a trap.

After several tens of seconds spent on the page, we are redirected to the official orange site. A common practice among hackers, intended to reassure victims about the manipulations they have just carried out.

What if I gave my information?

  • If you have provided your credit card information, start by opposing it. The vast majority of banks have a 24/7 phone line, just call it. Every minute can save you a few hundred dollars.
  • If you filled out the first form, be extra careful. Your information will likely circulate on hacker forums, and you will be tagged as someone who has taken a phishing bite. Don’t panic though: your data will be used for phishing. You just need to be extra vigilant in the face of any suspicious email or call.

CyberGhost, Cyberwarre’s exclusive advertiser, is a premium VPN provider at affordable prices. It has thousands of secure servers spread across the world, allowing it to relocate its IP address and bypass geoblocks. CyberGhost does not keep any record of user activity. Its VPN application is available on all operating systems and connected devices and is the easiest to access on the market. Learn more about CyberGhost’s VPN solution