Beware, a phishing attack on orange mail is being prepared

This screenshot shows a phishing page impersonating Orange Mail (Orange.fr), a major French telecommunications provider. The page asks for the victim’s email address and password, claiming they must log in to access their mailbox or client space.

Threat Analysis: Orange Phishing – Fake “Espace Client” Login Page

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to verify their mailbox. The link leads to this page, which mimics the Orange Mail login interface. The page asks for:

  • Email address (Adresse email)
  • Password (Mot de passe)

The victim is then prompted to click “S’IDENTIFIER” (Sign in). The credentials are captured and sent to the attacker. A note about creating an account without being an Orange customer and a help link are added to appear legitimate.

The goal:
The attacker steals Orange account credentials to:

  • Access the victim’s email and personal information
  • Reset passwords for other online accounts linked to that email
  • Perform SIM swapping (porting the victim’s phone number) to bypass SMS‑based two‑factor authentication for banking or other services
  • Use the account to send further phishing messages

Red flags to watch for:

  • Suspicious URL: The page is hosted on a subdomain of uflorist.pro, not orange.fr. Legitimate Orange login pages are only on official Orange domains.
  • “Not secure” browser warning: The URL bar shows “Not secure” – a clear indicator that the page lacks a valid SSL certificate for Orange’s official site.
  • “powered by ukit” footer: Official Orange pages do not include “powered by ukit” – this indicates the page was built on a free website builder (Ukit), which is not used by legitimate telecom providers for login portals.
  • Unsolicited login request: Orange does not send links requiring customers to log in to resolve account issues.
  • Minimal design / missing security features: The page lacks the full branding, security notices, and two‑factor authentication options present on the real Orange login page.

What to do if you encounter this:

  • Do not enter your email address or password.
  • If you are an Orange customer, always access your mailbox by typing orange.fr directly into your browser or using the official Orange app.
  • If you have already entered your credentials, change your Orange password immediately and contact Orange customer service to watch for SIM swapping attempts.
  • Report the phishing page to Orange’s fraud team (e.g., via [email protected]).

Protective measures:

  • Bookmark the official Orange login page and use that bookmark.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on your Orange account if available.
  • Never log in via a link in an unsolicited message – always type the URL manually.
  • Avoid entering credentials on pages built with free website builders (Ukit, Wix, Weebly, etc.) – legitimate providers do not use these for secure login portals.

Be aware of fake Amazon pages.

This screenshot shows a phishing page impersonating Amazon’s sign‑in interface. The page asks for the victim’s email (or phone number) and password, then sends the credentials to the attacker.

Threat Analysis: Amazon Phishing – Fake Sign‑In Page

How it works:
The victim receives a phishing email, SMS, or other message claiming an order problem, account suspension, or the need to verify payment information. The link leads to this page, which mimics the Amazon login portal. The victim is asked to enter their email (or mobile number) and password, then click “Sign in.” The credentials are captured and sent to the attacker. After theft, the victim may be redirected to the real Amazon website, making the scam less noticeable.

The goal:
The attacker steals Amazon account credentials to:

  • Make fraudulent purchases using saved payment methods
  • Access order history and personal information
  • Change account settings (shipping addresses, email, password) to lock out the victim
  • Use the same email/password combination to compromise other accounts (credential stuffing)

Red flags to watch for:

  • Suspicious URL: The page is hosted on a subdomain of cloudns.cl (e.g., ap-webappsnetto27.cloudns.cl), not amazon.com. Legitimate Amazon sign‑in pages are only on official Amazon domains.
  • Outdated copyright: The footer shows “© 1996-2021” – the year 2021 is outdated for a screenshot likely taken later, a common sign of a copied phishing template.
  • Unsolicited login request: Amazon does not send links requiring customers to log in to resolve account issues. Always type amazon.com manually.
  • Missing security indicators: The page lacks the expected security badges, personalized elements (e.g., a saved email or security image), and two‑factor authentication prompts that appear on the real Amazon sign‑in page.

What to do if you encounter this:

  • Do not enter your email/phone or password.
  • If you have already entered your credentials, change your Amazon password immediately, enable two‑factor authentication, and check your account for unauthorized orders or changes.
  • Always access Amazon by typing amazon.com (or your local Amazon domain) directly into your browser.

Protective measures:

  • Bookmark the official Amazon sign‑in page and use that bookmark.
  • Use a password manager – it will autofill only on legitimate Amazon domains.
  • Enable two‑factor authentication on your Amazon account.
  • Be suspicious of any unsolicited message that asks you to log in via a link.
  • Check the URL carefully – look for misspellings, extra words, or unusual top‑level domains (e.g., .cl, .cloudns.cl).

FreeFire NewEven phishing page with fake Facebook Login-window detected

This screenshot shows a phishing page that uses a fake “Free Fire New Event” as a lure to trick victims into logging in with Facebook. The page mimics the Facebook login interface to steal the victim’s credentials.

Threat Analysis: Free Fire Event Phishing – Facebook Credential Harvesting

How it works:
The victim receives a link (via social media, SMS, or messaging app) promising exclusive rewards or access to a new event for the game Free Fire. The link leads to a page that claims the victim must log in with their Facebook account to participate. The page asks for:

  • Mobile number or email address
  • Password

After the victim enters their credentials and clicks “Log In,” the information is sent to the attacker. The victim may then be redirected to the real Free Fire or Facebook website, making the scam less noticeable.

The goal:
The attacker steals Facebook credentials to:

  • Take over the victim’s Facebook account
  • Access the linked Free Fire (Garena) game account and steal or sell it
  • Post spam, scams, or malicious links from a trusted account
  • Attempt credential reuse on other platforms (email, banking, etc.)

Red flags to watch for:

  • Suspicious URL: The page is hosted on a domain that is not facebook.com or freefire.com. Legitimate Facebook login pages are only on official Facebook domains.
  • Free Fire event lure: Garena does not require you to log in via an external link to access events – all in‑game events are accessed directly through the Free Fire app.
  • Login page on a third‑party site: A legitimate event would either take place inside the game or on an official Garena website, not on a page that asks for Facebook credentials.
  • Unsolicited offer: Any unsolicited message promising free in‑game rewards in exchange for logging in via a link is almost certainly a scam.

What to do if you encounter this:

  • Do not enter your Facebook email/phone or password.
  • If you have already entered your credentials, change your Facebook password immediately and enable two‑factor authentication (2FA). Also check your Free Fire account for unauthorized access.
  • Always access Free Fire events through the official game app – never through external links.
  • Report the phishing page to Facebook and to Garena.

Protective measures:

  • Bookmark the official Facebook login page and use that bookmark.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication on your Facebook account.
  • Be suspicious of any message that asks you to log in to claim game rewards.

Preparations to Credit Agricole Banque phishing attack revealed

These two screenshots form a two‑step phishing campaign impersonating Crédit Agricole, a major French bank. The first page is a fake welcome / regional selection page, and the second page is the actual credential‑harvesting login form.

Threat Analysis: Crédit Agricole Phishing – Fake “Accès CR” Login Page

How it works:
The victim receives a phishing email, SMS, or other message claiming a security alert, account issue, or the need to log in to their online banking. The link leads to the first page, which mimics the legitimate Crédit Agricole public portal (with menus for accounts, cards, savings, etc.). Clicking “VALIDER” (or a similar button) leads to the second page.

The second page asks for:

  • Identifiant – an 11‑digit identifier (example shown: 982662721)
  • Code personnel – a 6‑digit personal code (password)

A fake virtual keyboard (digits 0–9) is displayed to make the page appear more legitimate and to bypass simple keyloggers. The victim is instructed to enter their credentials and click “VALIDER.” The information is then sent to the attacker.

The goal:
The attacker steals Crédit Agricole online banking credentials (identifier + personal code) to:

  • Log into the victim’s real bank account
  • View balances, transfer funds, and make unauthorized payments
  • Perform further fraud or identity theft

Red flags to watch for:

  • Suspicious URL: The pages are hosted on a domain that is not credit-agricole.fr. Legitimate Crédit Agricole login pages are only on official bank domains.
  • Unsolicited login request: Crédit Agricole does not send links requiring customers to log in to resolve account issues.
  • Fake virtual keyboard: While the real bank may use a virtual keyboard, its presence on a fake page does not guarantee legitimacy – the page is still a phishing site.
  • Copied content: The first page copies legitimate Crédit Agricole branding and menus (e.g., “COMPTES & CARTES”, “Télécharger l’application Ma Banque”). Attackers use this to appear authentic, but the domain gives it away.
  • No personalization or security image: A legitimate login page often displays a security phrase or image after identifier entry – this page does not.

What to do if you encounter this:

  • Do not enter your 11‑digit identifier or 6‑digit personal code.
  • If you are a Crédit Agricole customer, always access online banking by typing credit-agricole.fr directly into your browser or using the official mobile app.
  • If you have already entered your credentials, contact Crédit Agricole immediately to change your access codes and secure your account.
  • Report the phishing page to Crédit Agricole’s fraud team ([email protected]).

Protective measures:

  • Bookmark the official Crédit Agricole login page and use that bookmark.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication (SécuriPass) through the official app.
  • Be suspicious of any unsolicited message that asks you to log in via a link.
  • Check the URL carefully – look for misspellings, extra words, or unusual top‑level domains.

Preparations for a phishing attack on La Banque Postale detected

This set of screenshots shows a phishing campaign impersonating La Banque Postale, a major French bank. The scam uses a fake regulatory notification (PSD2 / European security directive) to pressure victims into clicking a link that leads to a fraudulent login page, where their online banking credentials (identifiant and password) are stolen.

Upd: The second attack 12 days latter

Threat Analysis: La Banque Postale Phishing – Fake “Strong Authentication” Scam

How the scam works:

Step 1 – Fake Regulatory Alert (First Screenshot)
The victim receives an email or lands on a page claiming that due to new European regulations, online banking logins now require “strong authentication” every 90 days. The message warns that ignoring the request will lead to the deactivation of security programs on the account – a classic fear tactic. A button labelled “ACCÉDER À L’INTERFACE” (Access the interface) directs the victim to the next page.

Step 2 – Fake Login Page (Second and Third Screenshots)
The victim is taken to a page that mimics La Banque Postale’s client space. The page asks for:

  • Identifiant (login identifier)
  • Mot de passe (password)

A fake virtual keyboard (showing digits 0–9) is included to make the page appear more legitimate. The page also contains a warning about phishing attempts – ironically, this warning is copied from the real bank’s website and placed on a fake page to trick victims into believing the site is authentic.

The goal:
The attacker steals the victim’s La Banque Postale online banking credentials to:

  • Log into the victim’s real bank account
  • View balances, transfer funds, and make unauthorized payments
  • Commit fraud or identity theft

Red flags to watch for:

  • Suspicious URL: The pages are hosted on domains that are not labanquepostale.fr. Legitimate La Banque Postale login pages are only on official bank domains.
  • Unsolicited “regulatory” request: La Banque Postale does not send links requiring customers to log in to comply with PSD2 or any other regulation. Such updates are handled through the official app or website after normal login.
  • Threat of consequences: The warning that ignoring the message will lead to deactivation of security programs is a classic fear tactic.
  • Fake virtual keyboard: While the real bank may use a virtual keyboard, its presence on a fake page does not guarantee safety – the page is still a phishing site.
  • Ironically, the anti‑phishing warning: The page includes a legitimate‑looking warning about fake emails and SMS, copied from the real bank. Attackers use this to appear credible, but it is being displayed on a phishing page itself.
  • Copied content and branding: The page copies La Banque Postale’s menus, COVID‑19 notices, and social media links. This content is stolen from the real website.

What to do if you encounter this:

  • Do not click any buttons or enter your identifier or password.
  • If you are a La Banque Postale customer, always access online banking by typing labanquepostale.fr directly into your browser or using the official mobile app.
  • If you have already entered your credentials, contact La Banque Postale immediately to change your access codes and secure your account.
  • Report the phishing page to La Banque Postale’s fraud team (e.g., [email protected]).

Protective measures:

  • Bookmark the official La Banque Postale login page and use that bookmark.
  • Use a password manager – it will not autofill on fake domains.
  • Enable two‑factor authentication (Certicode Plus) through the official app.
  • Be suspicious of any unsolicited message that creates urgency, threatens account deactivation, and asks you to log in via a link.
  • Check the URL carefully – look for misspellings, extra words, or unusual top‑level domains.