WIPO Arbitration and Mediation Center

ADMINISTRATIVE PANEL DECISION

Carrefour v. Name Redacted

Case No. D2015-1174

1. The Parties

The Complainant is Carrefour of Boulogne-Billancourt, France, represented by Dreyfus & associés, France.

The Respondent is Name Redacted.

2. The Domain Name and Registrar

The disputed domain name <webmail-carrefour.com> is registered with eNom, Inc (the “Registrar”).

3. Procedural History

The Complaint was filed with the WIPO Arbitration and Mediation Center (the “Center”) on July 8, 2015. On July 8, 2015, the Center transmitted by email to the Registrar a request for registrar verification in connection with the disputed domain name. On the same date, the Registrar transmitted by email to the Center its verification response confirming that the Respondent is listed as the registrant and providing the contact. On the same date, the Complainant sent an email to the Center informing that the information available on the WhoIs records, which was confirmed by the Registrar, erroneously displayed the name of an individual employed by the Complainant as the registrant of the disputed domain name. The Complainant informed that it would initiate criminal proceedings in France for identity theft and requested that the individual employed by the Complainant was not named as the Respondent and that the panel decision be anonymized.

The Center verified that the Complaint satisfied the formal requirements of the Uniform Domain Name Dispute Resolution Policy (the “Policy” or “UDRP”), the Rules for Uniform Domain Name Dispute Resolution Policy (the “Rules”), and the WIPO Supplemental Rules for Uniform Domain Name Dispute Resolution Policy (the “Supplemental Rules”).

In accordance with the Rules, paragraphs 2(a) and 4(a), the Center formally notified the Respondent of the Complaint, and the proceedings commenced on July 14, 2015. In accordance with the Rules, paragraph 5(a), the due date for Response was August 3, 2015. The Respondent did not submit any response. Accordingly, the Center notified the Respondent’s default on August 4, 2015.

The Center appointed Marie-Emmanuelle Haas as the sole panelist in this matter on August 11, 2015. The Panel finds that it was properly constituted. The Panel has submitted the Statement of Acceptance and Declaration of Impartiality and Independence, as required by the Center to ensure compliance with the Rules, paragraph 7.

As requested by the Complainant, the Panel decides to redact the name of the Registrar-confirmed registrant of the disputed domain name of this Decision. Attached as Annex 1 to this Decision is an instruction to the Registrar regarding transfer of the disputed domain name that includes the name of the referenced individual, and the Panel has authorized the Center to transmit Annex 1 to the Registrar as part of the order in this proceeding. However, the Panel directs the Center, pursuant to paragraph 4(j) of the Policy and paragraph 16(b) of the Rules, that Annex 1 to this Decision shall not be published based on exceptional circumstances. See Banco Bradesco S.A. v. FAST-12785241 Attn. Bradescourgente.net / Name Redacted, WIPO Case No. D2009-1788.

4. Factual Background

The Complainant is the registered owner of the following CARREFOUR trademarks, that are the subject matter of this UDRP proceeding:

- CARREFOUR, French trademark, registration No. 1,565,338, registered November 11, 2009, in classes 1 to 24, for several products and services;

- CARREFOUR, CTM, registration No. 0,051,783,71, registered August 30, 2007 in classes 9, 35 and 38 for scientific apparatus and instruments; advertising, business administration, office work and telecommunications.

The Complainant asserts that the Complainant and its CARREFOUR trademarks enjoy a worldwide reputation.

The Complainant owns domain names such as <carrefour.com>, registered on October 25, 1995 and <carrefour.fr>, registered on June 23, 2005.

In 1959, the Carrefour supermarket company was set up by the Fournier, Badin and Defforey families who ran a discount supermarket in Annecy.

The Complainant explains that the Carrefour Group is the leading retailer in Europe and the second-largest retailer in the world, employing more than 380,000 people. With more than 10,800 stores in 34 countries, it generated revenues of EUR 100.5 billion in 2014.

As a multi-local, multi-format, and multi-channel retailer, Carrefour submits it is a partner for daily life. Every day, it welcomes more than 10 million customers around the world, offering them a wide range of products and services.

A pioneer in countries such as Brazil in 1975 and China in 1995, the Group now operates on three major markets: Europe, Latin America and Asia. With a presence in more than 30 countries, it generates more than 53% of its sales outside France.

The Complainant owns and communicates on the Internet via various websites in order to present and to propose to the Internet users its services and products. It refers to its website “www.carrefour.com”. The Complainant’s employees have access to dedicated websites, such as “https://webmail.carrefour.com/”.

The disputed domain name <webmail-carrefour.com> was registered on July 5, 2015.

The WhoIs record reveals that the Respondent has impersonated an individual employed by the Complainant and thereby reproduced the postal address of the Complainant’s registered office.

The registrant email available on the WhoIs records is not a Complainant’s email address.

The disputed domain name resolved to a page imitating the official website of the Complainant “https://webmail.carrefour.com/”.

About 240 of the Complainant’s employees received emails requesting them to connect on the fraudulent website that was imitating Complainant’s official website “https://webmail.carrefour.com/” requesting employees to enter their login and password.

The Complainant requested the service provider – Rapidomaine – to deactivate the DNS server. Consequently, the fraudulent website imitating Complainant’s official website was deactivated and, on July 7, 2015 it redirects towards “www.fraud.org/”.

5. Parties’ Contentions

A. Complainant

1. Confusing similarity. Rules 3(b)(ix)(i); Policy paragraph4(a)(i).

The disputed domain name reproduces entirely the Complainant’s trademark, which previous UDRP panels have considered to be “well-known” or “famous”, with the adjunction of the generic and descriptive term “webmail” intersected by a hyphen.

The Complainant relies on Carrefour v. VistaPrint Technologies Ltd, WIPO Case No. D2015-0769 , Carrefour v. Park KyeongSook, WIPO Case No. D2014-1425, and Carrefour v. Tony Mancini, USDIET, WIPO Case No. D2014-1277.

The Complainant argues that in many UDRP decisions, panels have considered that the incorporation of a trademark in its entirety may be sufficient to establish that a domain name is identical or confusingly similar to the complainant’s registered mark. For instance, the Complainant relies on Swarovski Aktiengesellschaft v. mei xudong, WIPO Case No. D2013-0150 and RapidShare AG, Christian Schmid v. InvisibleRegistration.com, Domain Admin, WIPO Case No. D2010-1059.

Furthermore, the Complainant argues that when taking into consideration the previous website to which the disputed domain name directed, the composition of the disputed domain name and the emails sent to the Complainant’s employees, coupled with the WhoIs record constituting an identity theft, the likelihood of confusion was further amplified. Indeed, the disputed domain name previously directed towards an imitation of the official website of the Complainant. Internet users, in particular Complainant’s employees, have undoubtedly been misguided to believe that the disputed domain name belongs to the Complainant.

Therefore, the Complainant contends that the disputed domain name is identical in all material respects to the Complainant’s trademark and company name CARREFOUR. Thereby, the disputed domain name is likely to mislead Internet users and the Complainant’s employees into reasonably believing that the Respondent is authorized by or otherwise affiliated with the Complainant or the Complainant’s business which is clearly not the case. It might also lead Internet and the Complainant’s employees users to wrongly believe that the Complainant itself has endorsed, or otherwise created the disputed domain name.

For all of the above mentioned reasons, the Complainant considers that the disputed domain name is identical to the trademark CARREFOUR in which the Complainant has rights, and therefore the condition of paragraph 4(a)(i) of the Policy is fulfilled.

2. Rights or Legitimate Interests. Rules 3(b)(ix)(2); Policy paragraph 4(a)(ii).

The Complainant asserts that the Respondent has no rights, or legitimate interests, in the disputed domain name.

The Complainant recalls that in previous UDRP decisions, panels found that in the absence of any license or permission from the Complainant to use such widely-known trademarks, no actual or contemplated bona fide or legitimate use of the domain name could reasonably be claimed. It relies on Groupe Auchan v. Gan Yu, WIPO Case No. D2013-0188, and LEGO Juris A/S v. DomainPark Ltd, David Smith, Above.com Domain Privacy, Transure Enterprise Ltd, Host master, WIPO Case No. D2010-0138.

Moreover, the Complainant argues that as the disputed domain name is identical to the famous CARREFOUR trademark, the Respondent cannot reasonably pretend that it was intending to develop a legitimate activity through the disputed domain name.

In addition, the Complainant contends that the Respondent did not demonstrate any use of, or demonstrable preparations to use, the disputed domain name in connection with a bona fide offering of goods or services. Indeed, the disputed domain name used to resolve to an imitation of the official website of the Complainant attempting to fraudulently obtain sensitive information like usernames and passwords from the Complainant’s employees. Consequently, the Respondent fails to show any intention of fair use of the disputed domain name. It is most likely to be believed that the Respondent has no legitimate interest or rights in the disputed domain name.

Additionally, the Complainant asserts that the Respondent has used a similar email composition as that of the disputed domain name, i.e. “courier@webmail-carrefour.com”, to send emails to the Complainant’s employees requesting them to connect to the website hosted under the disputed domain name by inserting their username and password in order to have access to a so-called new internal procedure. In fact, 245 fraudulent emails have been sent to the Complainant’s employees between July 5, 2015 and July 6, 2015.

The Complainant considers that it is therefore clear that the Respondent is engaged in a phishing scheme, a practice intended to defraud consumers into revealing personal and financial information. Consequently, the disputed domain name is not used in any type of legitimate business or services. It deceives consumers/employees, who incorrectly understand that they are referred to the Complainant’s bona fide services. The Complainant relies on Google, Inc. v. Robert Takovich, WIPO Case No. DMX2012-0006 to support its argument.

Moreover, the Complainant contends that the circumstances of the case reveals an identity theft because despite the fact that the disputed domain name was registered using the name of an individual employed by the Complainant, he is not the actual registrant of the disputed domain name.

The Complainant explains that the email address used for the registration of the disputed domain name is not the email address of the individual employed by the Complainant. It is likely to be the one of the actual registrant (Swarovski Aktiengesellschaft v. Catherine Loke, WIPO Case No. D2013-0160).

The Complainant considers that for all of the above-cited reasons, it is undoubtedly established that the Respondent has no rights or legitimate interests in respect to the disputed domain name under paragraph 4(a)(ii) of the Policy.

3. Registered and used in Bad Faith. Rules 3(b)(ix)(3); Policy paragraph 4(c)(iii).

Paragraph 4(a)(iii) of the Policy requires the Complainant to prove that the Respondent registered and used the disputed domain name in bad faith. The language of paragraph 4(a)(iii) of the Policy requires that both bad faith registration and bad faith use be proven.

The Complainant asserts that it is implausible that the Respondent was unaware of the Complainant when it registered the disputed domain name.

The Complainant relies on Research In Motion Limited v. Privacy Locked LLC/Nat Collicot, WIPO Case No. D2009-0320 and The Gap, Inc. v. Deng Youqian, WIPO Case No. D2009-0113 to argue that bad faith can be found where the respondent “knew or should have known” of the complainant’s trademark rights and, nevertheless registered a domain name in which it had no rights or legitimate interest.

The Complainant contends that firstly the Complainant is well-known throughout the world. Secondly, several UDPR panels have previously mentioned its worldwide reputation, making it unlikely that the Respondent was not aware of the Complainant’s proprietary rights in the trademark CARREFOUR. Thirdly, the Respondent has set up a page imitating the Complainant’s official website, has imitated the Complainant’s domain name <webmail.carrefour.com> in the composition of the disputed domain name and has finally contacted the Complainant’s employees through a phishing scheme.

Besides, the Complainant relies on LEGO Juris A/S v. store24hour, WIPO Case No. D2013-0091; Lancôme Parfums et Beauté & Cie, L’Oréal v. 10 Selling, WIPO Case No. D2008-0226, and Caixa D´Estalvis I Pensions de Barcelona (“La Caixa”) v. Eric Adam, WIPO Case No. D2006-0464, to argue that bad faith has already been found where a domain name is so obviously connected with a well-known trademark that its very use by someone with no connection to the trademark suggests opportunistic bad faith. Given the reputation of the CARREFOUR trademark, the Complainant considers that registration in bad faith can be inferred.

The Complainant asserts that 245 fraudulent emails have been sent to the Complainant’s employees between July 5, 2015 and July 6, 2015. It implies that a significant number of fraudulent emails were sent right after the registration of the disputed domain name, which occurred on July 5, 2015. Hence, the Complainant considers that it can be concluded that the disputed domain name was primarily registered for phishing purposes. Subsequently, such a registration cannot reasonably be considered as a bona fide one.

Additionally, the Complainant argues that the Respondent failed to provide correct contact details since it has impersonated an individual employed by the Complainant. Even if the Complainant would have sent a cease-and-desist letter by registered letter, such information would have been useless to allow an efficient postal contact with the owner of the disputed domain name and is therefore in breach of the registration agreement.

The Complainant relies on a similar phishing case, NES Rentals Holdings, Inc. v. Gold Bond Inc / John Bickel / brian parris / James Frost / James Keller / John Doe / Whois Privacy Protection Service, Inc., WIPO Case No. D2012-1002, where it was held that It is clear from the relevant circumstances that the Respondents were well aware of the Complainant and had the Complainant’s mark in mind when registering the disputed domain names. The record convincingly evinces that the Respondents’ primary motive in relation to the registration and use of the disputed domain names was to capitalize on or otherwise take advantage of the Complainant’s trademark rights, in furtherance of a scheme of identity theft and fraud perpetrated on the public.”

Thereby, the Complainant considers that there is no doubt as to the fact that the Respondent registered the disputed domain name in bad faith since it was aware of the Complainant.

The Complainant asserts that the Respondent is engaged in a phishing scheme and that it clearly aimed at stealing valuable information such as usernames and passwords from the Complainant’s employees through the use of an email address and a website imitating the Complainant’s official website. The Complainant relies on OLX, Inc. v. J D Mason Singh, WIPO Case No. D2014-1037, and The Royal Bank of Scotland Group plc v. Secret Registration Customer ID 232883 / Lauren Terrado, WIPO Case No. D2012-2093, to submit that prior UDRP panels have agreed that there is no better evidence of bad faith than a fraudulent phishing scheme set up with the help of a domain name containing the trademark of a company the customers or Internet users of which are being misled and deceived into believing they are dealing with the owner of the trademark.

The Complainant relies on TPI Holdings, Inc. v. Elaine Noe, WIPO Case No. D2009-0568, to consider that there can’t be any use in good faith. It argues that the disputed domain name has been registered through the use of an identity theft because the name of an individual employed by the Complainant and the post address of the Complainant were fraudulently used for the registration of the disputed domain name.

Therefore, in view of the present circumstances, the Complainant submits that it is likely that the Respondent registered the disputed domain name to prevent the Complainant from reflecting its trademark in the disputed domain name. This type of conduct constitues evidence of the Respondent’s bad faith (L’oreal v. Chenxiansheng, WIPO Case No. D2009-0242).

The Complainant considers that such a behavior shows that the Respondent is attempting to take undue advantage from the registration of a domain name which is confusingly similar in all aspects with the Complainant. Such a use of the disputed domain name might be hazardous for consumers as well as for the Complainant’s business and reputation. Accordingly, adequate measures should be taken to prevent further fraudulent attempts from the Respondent through the use of the disputed domain name.

B. Respondent

The Respondent did not reply to the Complainant’s contentions.

6. Discussion and Findings

To prevail in the proceedings under the Policy, the Complainant must show that the three requirements set forth in paragraph 4(a) of the Policy are met. Those requirements are:

(i) the domain name is identical or confusingly similar to a trademark or service mark in which the Complainant has rights;

(ii) the Respondent has no rights or legitimate interests in respect of the domain name; and

(iii) the domain name has been registered and is being used in bad faith.

Likewise, under paragraph 4(c) of the Policy, the Respondent can demonstrate its rights and legitimate interests in the disputed domain name in its response to the Complaint by proving, among others, the circumstances mentioned under this paragraph of the Policy.

A. Identical or Confusingly Similar

The Complainant has clearly established rights in the CARREFOUR trademark.

The disputed domain name reproduces entirely the widely known CARREFOUR trademark with the adjunction of the generic and descriptive term “webmail” intersected by a hyphen.

The choice of the term “webmail” is not anodyne. The Respondent likely chose this term in order to create confusion with the Complainant’s website at “http://webmail.carrefour.com/”.

Therefore, the Panel finds that the disputed domain name is confusingly similar to the Complainant’s trademark. The condition of paragraph 4(a)(i) of the Policy has been satisfied.

B. Rights or Legitimate Interests

As set forth by paragraph 4(c) of the Policy, any of the following circumstances, in particular but without limitation, if found by the Panel to be proved based on its evaluation of all evidence presented, shall demonstrate the Respondent’s rights or legitimate interests to the domain name for purposes of paragraph 4(a)(ii):

(i) before any notice to the Respondent of the dispute, its use of, or demonstrable preparations to use, the domain name or a name corresponding to the domain name in connection with a bona fide offering of goods or services; or

(ii) the Respondent (as an individual, business, or other organization) has been commonly known by the domain name, even if it has acquired no trademark or service mark rights; or

(iii) the Respondent is making a legitimate noncommercial or fair use of the disputed domain name, without intent for commercial gain to misleadingly divert consumers or to tarnish the trademark or service mark at issue.

The Respondent did not respond to the Complaint. Consequently it did not provide any evidence or circumstances to establish that it has rights or legitimate interests in the disputed domain name, according to paragraph 4(c) of the Policy.

In the circumstances of this case, the Panel finds that this constitutes a clear acknowledgment that it has no rights or legitimate interests in the disputed domain name.

There is nothing that indicates that the Respondent is commonly known by the disputed domain name.

The Complainant has not licensed or otherwise permitted the Respondent to use the CARREFOUR trademarks, or to register any domain name incorporating the CARREFOUR trademark.

The Respondent makes an unfair use of the disputed domain name.

The Respondent concealed its identity when registering the disputed domain name. It used the email address <courier@webmail-carrefour.com> to request the Complainant’s employees to connect to the website hosted under the disputed domain name by inserting their username and password in order to have access to a so-called new internal procedure.

The website hosted under the disputed domain name was a copy of the Complainant’s website at “http://webmail.carrefour.com/”.

These elements demonstrate identity theft and a phishing scheme, which do not establish rights or legitimate interests in the disputed domain name.

Accordingly, the Panel finds that the condition of paragraph 4(a)(ii) of the Policy has been satisfied.

C. Registered and Used in Bad Faith

Paragraph 4(b) of the Policy sets out examples of circumstances that will be considered by an Administrative Panel to be evidence of the bad faith registration and use of a domain name. It provides that:

“For the purposes of Paragraph 4(a)(iii), the following circumstances, in particular but without limitation, if found by the Panel to be present, shall be evidence of the registration and use of a domain name in bad faith:

(i) circumstances indicating that you have registered or you have acquired the domain name primarily for the purpose of selling, renting, or otherwise transferring the domain name registration to the Complainant who is the owner of the trademark or service mark or to a competitor of that Complainant, for valuable consideration in excess of your documented out-of-pocket costs directly related to the domain name; or

(ii) you have registered the domain name in order to prevent the owner of the trademark or service mark from reflecting the mark in a corresponding domain name, provided that you have engaged in a pattern of such conduct; or

(iii) you have registered the domain name primarily for the purpose of disrupting the business of a competitor; or

(iv) by using the domain name, you have intentionally attempted to attract, for commercial gain, Internet users to your web site or other on-line location, by creating a likelihood of confusion with the Complainant’s mark as to the source, sponsorship, affiliation, or endorsement of your web site or location or of a product or service on your web site or location.”

1. Concerning bad faith registration of the disputed domain name

The CARREFOUR trademarks are widely known worldwide.

The Respondent was perfectly aware of the Complainant’s rights on the CARREFOUR trademark when registering the disputed domain name.

As alleged in the Complaint, the disputed domain name was registered using the name of an individual employed by the Complainant and the postal address of the Complainant. Consequently the disputed domain name registration is the result of an identity theft.

The organized phishing scheme practice described by the Complainant shows that the disputed domain name has been registered primarily for the purpose of defrauding the Complainant’s consumers and employees into revealing personal and financial information, and to disrupt the Complainant’s business.

Therefore the bad faith concerning registration of the disputed domain name is proven.

2. Concerning bad faith use of the disputed domain name

The Respondent’s action is in line with paragraph 4(b)(iv) of the Policy, as the Respondent intentionally attempted to steal valuable information such as usernames and passwords from the Complainant’s employees through the use of an email address and a website imitating the Complainant’s official website.

The Panel finds that the Complainant has made out that the disputed domain name was registered and is being used in bad faith.

Therefore, the condition set out by paragraph 4(a)(iii) of the Policy has been met by the Complainant.

7. Decision

For the foregoing reasons, in accordance with paragraphs 4(i) of the Policy and 15 of the Rules, the Panel orders that the disputed domain name, <webmail-carrefour.com> be transferred to the Complainant.

Marie-Emmanuelle Haas
Sole Panelist
Date: August 18, 2015