In September and October of this year, a malicious campaign was observed in France against the French population, affecting financial institutions, and it has spread to banks in Spain.
The French Deposit Guarantee Fund (FGDR) published an alert warning about scams carried out by threatening agents who used the name and logo of this institution on their letterheads and documents in order to gain the trust of their victims by implying that even a deposit of €100,000 would be guaranteed by the French state in case of loss.
In particular, the following logos to which the institution refers appear in the evidence analysed:
Telefónica Tech‘s Digital Risk Protection service has been able to investigate that this is a campaign that involves some prior step. To be precise, it consists of malicious actors making telephone calls, both to individuals and legal entities located in France, and subsequently sending e-mails offering savings and deposit accounts with high annual interest rates. To this end, they are creating domains with the name of the impersonated brand name created specifically for this campaign, which means that it is not only the FGDR that is affected.
Those behind these events are posing as employees of well-known financial companies, using elaborate mailing brochures pretending to be from the company they claim to be (adding that the operations are protected by the aforementioned FGDR, hence the alert that they are being impersonated) and providing attachments with the logo, name and format of the affected brand, which are being hosted on the pandadoc platform.
In this way, the victim is tricked into believing that he or she is going to create an account with the entity and transfer a certain amount of money to it. However, the money is moved to an account controlled by threat actors. It also denotes a certain legitimacy and complexity by using legitimate infrastructure.
Among the information that can be provided, for the purposes of certain searches, it is worth noting that malicious actors use the following telephone number pattern: 01 88 83 84 XX, which corresponds to geolocated landline numbers in Paris. Also, some of the names they use are Pascal Delconte, Sophie Labeyre, Eric Noa, Christophe Guerado, Philippe Marchand, Mickael Jolive and Julien Bertaux.
Lastly, three possible malicious bank accounts used in this campaign affecting Spanish assets should be highlighted:
- IBAN ESXX XXXX XXXX XXXX XXXX XXX1
- IBAN ESXX XXXX XXXX XXXX XXXX XXX8
- IBAN ESXX XXXX XXXX XXXX XXXX XXX2
So far, direct spoofing has been detected against at least one national entity and two entities indirectly through the use of accounts possibly breached or controlled by malicious actors.