Decision for dispute CAC-UDRP-105624

The Panel is not aware of any other legal proceedings which are pending or decided and relate to the disputed domain name.

The Complainant relies on the following EU trademark, for which it has adduced evidence of registration and validity: No. 001758614 "BOURSORAMA", registered on 19 October 2001 in Nice Classification List Classes 9, 16, 35, 36, 38, 41 and 42.

According to proof adduced by the Complainant, it is the registrant of the domain name <boursorama.com>, registered on 1 March 1998. The Complainant also asserts that it is the registrant of other domain names without, however, adducing proof of them.

The Respondent registered the disputed domain name <web-login-clients-boursorama.com> on 10 July 2023, according to the Registrar Verification obtained by the CAC Case Administrator.

The Complainant, Boursorama, is a French company that is a pioneer and leader in its three core business areas: online brokerage, online financial information, and online banking. The Complainant has close to 5 million customers in France for online banking, making it the point of reference for this service nationally. Its retail stock exchange brokerage service extends to over 600,000 accounts.

The Complainant has adduced screenshot evidence to show that the disputed domain name is used for phishing. Specifically, the disputed domain name resolves to a login page that copies content from the Complainant’s official customer access page. The Respondent's login page could thus be used as a means to collect personal information from the Complainant’s unwitting clients.

COMPLAINANT:

The disputed domain name is confusingly similar to its trademark BOURSORAMA and the domain names associated with this brand. Indeed, the disputed domain name includes the Complainant's trademark in its entirety. Addition of the generic terms "WEB", “LOGIN” and “CLIENT” and the technical extension <.com> do not reduce such confusing similarity, given the impression created by their connection to "BOURSORAMA" in the disputed domain name.

No licence or authorization has been granted to the Respondent to make any use of the Complainant’s trademark, including by applying for registration of the disputed domain name. The Complainant asserts that the Respondent is not known as the disputed domain name.

The Respondent’s website cannot be considered a bona fide offering of services or an instance of fair use, since the website can serve only to mislead internet users into believing they are accessing the Complainant’s website.

It is reasonable to infer that the Respondent has registered the domain name with full knowledge of the Complainant's trademark and with the purpose of using it for a phishing scheme, as is demonstrated by the evidence the Complainant has adduced. The Respondent is thereby attempting in bad faith to attract, for commercial gain, internet users to its website through creating a likelihood of confusion with the Complainant's trademark.

RESPONDENT: NO ADMINISTRATIVELY COMPLIANT RESPONSE HAS BEEN FILED.

The Complainant has, to the satisfaction of the Panel, shown that the disputed domain name is identical or confusingly similar to trademarks in which the Complainant has rights (within the meaning of paragraph 4(a)(i) of the Policy).

The Complainant has, to the satisfaction of the Panel, shown the Respondent to have no rights or legitimate interests in respect of the disputed domain name (within the meaning of paragraph 4(a)(ii) of the Policy).

The Complainant has, to the satisfaction of the Panel, shown that the disputed domain name has been registered and is being used in bad faith (within the meaning of paragraph 4(a)(iii) of the Policy).

1. Language of the proceeding

The details contained in the Registrar Verification obtained by the CAC Case Administrator state that the language of the registration agreement for the disputed domain name is French. According to Paragraph 11(a) of the UDRP Rules the language of this proceeding must therefore in principle be French.

The Complainant nevertheless entered a request to change the proceeding's language on 18 July 2023, in which it contended that "the English language is the language most widely used in international relations and is one of the working languages of the Center" and that the disputed domain name "includes the [E]nglish terms 'WEB', 'LOGIN' and 'CLIENTS'".

Upon its appointment, the Panel reviewed the Complainant's request and issued an Interim Decision on 16 August 2023. It rejected both of the Complainant's arguments as being without foundation but, applying the terms of Paragraph 11(a) of the UDRP Rules, paid regard to the circumstances of the case as revealed by its scrutiny of the Case File. The Panel noted in particular the Respondent's use of a clear alias "Kyks" and its provision of manifestly false postal address details, which in turn placed the validity of the registration agreement itself in doubt. With respect to the phrasing of the disputed domain name itself, it found that the alias "Kyks" seemed significant in view of its correspondence in English to a specialist internet security-related abbreviation, namely for "Key signing keys". Yet, since any relation between the alias and that abbreviation could amount to no more than conjecture, the Panel issued its Interim Decision to change this proceeding's language to English on a provisional basis only, pending any objection made to it by the Respondent within a period of five days.

The Interim Decision issued on 16 August 2023 wassolely in French in view of the language of the registration agreement.

No objection was received from the Respondent. The Interim Decision's change of language thus became effective after expiry of the five-day period allowed to the Respondent, i.e. from 22 August 2023.

2. Résumé of contentions

The Panel notes that its résumé of the Parties' contentions includes for the Complainant only its essential arguments. It is unnecessary in this case's clear factual circumstances to repeat the Complainant's references to various past ADR Panels' Decisions. The Panel equally finds it unnecessary to consider a contention regarding prima facie proof that is redundant in the circumstances of this proceeding.

3. Conclusion

Taking account of the above, the Panel is satisfied that all procedural requirements under the UDRP are met in this proceeding and that there is no other reason why it would be inappropriate to provide a decision.

This case involves a clear instance of phishing, which the European Union Agency for Cybersecurity defines in its glossary  (https://www.enisa.europa.eu/topics/incident-response/glossary?tab=articles) as being "means to persuade potential victims into divulging sensitive information such as credentials, or bank and credit card details" and as involving "a combination of social engineering and deception", usually conducted via "malicious Web sites, email messages, or instant messages, appearing to be from a legitimate source such as a bank, or a social network".

The Complainant has adduced compelling evidence and presented credible contentions that bring the Respondent's conduct with respect to the disputed domain name within this definition. The Respondent registered the disputed domain name in a form that purports to be for a web login procedure related to the Complainant and has published a web page associated with the disputed domain name which serves no other function than to trick unsuspecting customers into believing that they have arrived at a place where they should enter their login details for the Complainant.

For the purposes of the UDRP cumulative three-part test:

• the Complainant has had no difficulty in demonstrating its own rights and the confusing similarity of the disputed domain name with its protected brand name, this being the dominant element in the disputed domain name due to the Respondent having placed it directly before the <.com> extension;
• the demonstrated fact of the Respondent's phishing -- by using the disputed domain name's client web login descriptor in conjunction with a close imitation of the Complainant's own login page -- excludes any possibility of the Respondent having any rights or legitimate interest in the disputed domain name;
• the same fact combined with the evident purpose of the disputed domain name's composition at registration fully establishes bad faith registration and use.

The Panel therefore FINDS for the Complainant and ORDERS that the disputed domain name be transferred to it.