The city of Montpellier seems to be affected by a campaign of scams. Residents received false delivery notices from La Poste redirecting them to a site asking for their bank details.
This is a strange letter that Flavio Perez received on August 23. After leaving the letter for a few days, this technical director of an animation film studio saw this strange passing notice. But after a few checks, the Montpellier resident smelled a scam.
The delivery notice indicates that a registered letter with acknowledgment of receipt was not delivered and invites you to schedule a new delivery. The only problem is that the link entered as well as the QR Code that can be scanned is redirected to a fraudulent site, where the trapped person is invited to enter their bank details.
“I have to admit that a physical phishing is the first for me and it took me a few minutes and checked to make sure it was a scam”, explained Flavio Perez of Tech & Co.
Fortunately, this resident of Montpellier is alert to phishing attempts, these scams that take the form of emails or SMS in the colors of an establishment known to the victim, such as his bank or his telephone operator.
Several elements alerted Flavio Perez. First, the size of the URL address – abnormally long – disturbs it. Then, the document is printed incorrectly. In addition, the quality of the paper seems to be similar to a page printed at home.
In the document, other clues betray the attempted scam. The tracking number is printed directly on the shipping notification. Usually, the postman reports it himself in pen or with a label. On Twitter, others also noted that the tracking number used is the one offered as an example on the La Poste website.
Defect in a redirect tool
When he admits to having doubts, one detail convinces him to open the link. “When I pointed to the QR code, I saw that the URL pointed to the La Poste site, said Flavio Perez. So I opened it”. But once clicked, the link finally sent him to an unknown site, which ended up confirming his suspicions.
This display is not due to an error. This is exploiting a flaw in an internal tool of the French company.
“La Poste has an internal tool that allows redirections between its various websites. In principle, these redirection tools are safe, to check that they always refer to reliable sites belonging to group. This is not the case. Thus it is possible to hijack this tool to send a link containing the address ‘laposte.fr’ to a fraudulent site, which is very dangerous”, explained Xavier Mouton -Dubosc, journalist and Web developer, from Tech & Co.
Since the alert launched by Flavio Perez on Twitter on August 28, the site referred to in the false notice of passage has been deactivated. The resident of Montpellier however received many testimonials from people who also found the fraudulent document in their mailbox. “At least two or three on Twitter”, he specified. Some affected residents live in different districts of Montpellier, which hides the mystery of the distribution of this scam, which is original to say the least.
Contacted by Tech & Co, a spokesperson for La Poste confirmed that the company itself has deactivated the link contained in the notification on the way. For now, the action seems to be very local and confined to the city of Montpellier.
“This hybrid paper and digital test is a new one, acknowledged the spokesperson. But that makes deployment difficult because it requires significant logistics.” A patch has been tested to remove the possibility of redirection on any site. It should be deployed in the next few days.
At the beginning of July, the La Poste Mobile website became the target of a cyberattack. Claimed by the group of Russian-speaking hackers LockBit 3.0, this operation led to the dissemination of personal data of thousands of customers of the fifth telephone operator in France.