Phishing attempt on French e-tolls

@cryptax
2 min readMar 21, 2024

--

Yesterday, I received a well-crafted phishing attempt email targeting users of a French e-toll company. While this email contains no mobile malware (my field), I wanted to look into it.

Note that the company reports several phishing attempts currently, and the linked page was particularly useful 👍 to understand this was phishing.

A well-crafted phishing attempt

The phishing email is well done:

- The French is impeccable,
- The email and website domain names match and seem reasonably legit,
- There is also an unsubscribe link,

List-Unsubscribe:  <unsubcribe@ulys-facturation.com?subject=unsubscribe>, <https://unsubcribe.ulys-facturation.com>
  • The logo looks correct,
  • Email headers do not show any particular anomaly. There is a “no-reply” sender, which makes the email look quite “professional”.
Sender:  Ulys by VINCI Autoroutes <noreply@ulys-facturation.com>
HTML view of the email (normally, I use Alpine email client, lol, but that wouldn’t be a very nice screenshot). Note I do not allow remote content in my emails, so the logo does not show. The text says the e-toll account was suspended due to billing issues, and suggests to click on the button to update billing information.

The HTML code does not reveal any particular trick, except the button links to hxxps://ulys-facturation.com. However, this domain name looks legit + it matches the email domain names.

So, how do I know it’s phishing? Well, because I don’t have an e-toll device from that company 😏 and thanks to the webpage of the official company warning about phishing attempts (link at the top of blog post).

Investigating the domain name

The domain name was registered at Squarespace Domains (NB. the company is legit and is not correlated to the phishing attempt).

The date says today, but actually, on Virustotal, it says yesterday.

Currently, the domain name resolves to 91[.]215.85.189 which is hosted in Russia. Note: this is not attributing the attempt to Russia, we’d need much more elements.

Many other domain names resolve to the same IP address. We’ll note a few others targeting the e-toll company ulys-pass-renouvellement[.]com, ulys-vinci-autoroute-renouvellement[.]com, but also a French bank “Société Générale” sg-et-vous[.]com, sg-information-mise-a-jour[.]com…

Phishing domain names

— the Crypto Girl

--

--

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.