free.fr phishing group: badware

[orbotimn75]

Prerequisites

• This is NOT a YouTube, Facebook or Twitch report. These sites MUST be reported by clicking their respective links.
• I read and understand the policy about what is a valid filter issue.
• I verified that this issue is not a duplicate. (Use this button to find out.)
• I did not remove any of the default filter lists, or I have verified that the issue was not caused by removing any of the default lists.
• I did not enable additional filter lists, or I have verified that the issue still occurs without enabling additional filter lists.
• I do not have custom filters/rules, or I have verified that the issue still occurs without custom filters/rules.
• I am not using uBlock Origin along with other content blockers.
• I have verified that the web browser's built-in blocker or DNS blocking (standalone or through a VPN) is not causing the issue.
• I have verified that other extensions are not causing the issue.
• If this is about a breakage or detection, I have verified that it is caused by uBlock Origin and isn't a site issue.
• I did not answer truthfully to ALL the above checkboxes.

URL address of the web page

https://espacefidelitefree.fr/

Category

badware

Description

This site https://espacefidelitefree.fr/ is a phishing campaign against customers Free mobile.

The legitimate page can be found at : https://mobile.free.fr/

Other extensions used

none

Screenshot(s)

Screenshot(s)

Configuration

uBlock Origin: 1.56.0
Firefox: 123
filterset (summary):
 network: 135955
 cosmetic: 52462
 scriptlet: 18976
 html: 1739
listset (total-discarded, last-updated):
 default:
  user-filters: 10-1, never
  ublock-filters: 37378-181, 27m Δ
  ublock-badware: 7750-14, 27m Δ
  ublock-privacy: 739-0, now
  ublock-unbreak: 2293-0, 27m Δ
  easylist: 82229-915, 27m Δ
  easyprivacy: 50327-1064, 27m Δ
  urlhaus-1: 4165-0, now
  plowe-0: 3779-1, now
  FRA-0: 22821-110, now
  ublock-quick-fixes: 142-1, 27m Δ
filterset (user): [array of 10 redacted]
trustedset:
 added: [array of 25 redacted]
 removed:
  about-scheme
switchRuleset:
 added: [array of 2 redacted]
userSettings: [none]
hiddenSettings: [none]
supportStats:
 allReadyAfter: 1292 ms (selfie)
 maxAssetCacheWait: 153 ms
 cacheBackend: indexedDB
popupPanel:
 blocked: 0

[iam-py-test]

It seems they are using shopflarehub.com for their payments: https://tria.ge/240305-2bg53abb8x/behavioral1 (CloudFlared). It appears to be malicious and is detected by 10 security vendors on VirusTotal.
Thank you

[orbotimn75]

New phishing site http://mobile.i-free.fr

The legitimate page can be found at : https://mobile.free.fr/

[orbotimn75]

Phishing link https://www.gatekeeperapp.net/gatekeeper/https%3A%2F%2Fwww.gatekeeperapp.net%2Fgatekeeper%2Fhttps%253A%252F%252F5qin.muelo.fr%252F redirect to this phishing site https://mobile.i-free.fr/def25414f9fe887/index.php?forceReload=20211220&contexteAppel=caffr&urlredirect=%2Fwps%2Fmyportal%2Fcaffr%2Fmoncompte%2Ftableaudebord#/login

[stephenhawk8054]

http://mobile.i-free.fr/

Hmm... The link returns 403 error for me

Same as https://www.gatekeeperapp.net/gatekeeper/https%3A%2F%2Fwww.gatekeeperapp.net%2Fgatekeeper%2Fhttps%253A%252F%252F5qin.muelo.fr%252F, it redirects to https://5qin.muelo.fr/ which returns 403 too.

[orbotimn75]

if you are a Free mobile customer, this is what appears when you click on the link :

[orbotimn75]

phishing site https://free-mobil.hubside.fr/

The legitimate page can be found at : https://zimbra.free.fr/ or https://webmail.free.fr/ or https://mobile.free.fr/

[orbotimn75]

phishing site https://web-mail-free-org.hubside.fr/

The legitimate page can be found at : https://zimbra.free.fr/ or https://webmail.free.fr/

[stephenhawk8054]

Hmm... Is the whole domain hubside.fr a phishing domain? If so, we can block the whole domain instead of each subdomain.

[orbotimn75]

solution@hubside.com suggests using the abuse form below, but it doesn't seem very effective :

Nous vous remercions pour votre email.
Pour prendre en charge votre demande, nous vous invitons à remplir le formulaire dédié que vous trouverez ici

Thank you for your email.
To process your request, please fill in the dedicated form here ici

[ItsProfessional]

Hmm... Is the whole domain hubside.fr a phishing domain? If so, we can block the whole domain instead of each subdomain.

6b0971d#commitcomment-138936944

[orbotimn75]

new phishing from domain hubside.fr => https://free-service.hubside.fr/

The legitimate page can be found at : https://zimbra.free.fr/ or https://webmail.free.fr/

[orbotimn75]

Phishing from domain https://www.hubside.com/ =>

https://freezimail.hubside.fr/
https://zimbrafreemail.hubside.fr/
https://zimbra-inbox.hubside.fr/
https://free-mobile241.hubside.fr/
https://compte-free.hubside.fr/

The legitimate page can be found at : https://zimbra.free.fr/ or https://webmail.free.fr/

[orbotimn75]

phishing site https://pointsfreemobile.com/fr/

The legitimate page can be found at : https://mobile.free.fr/

[orbotimn75]

Phishing => https://free-mob2584.hubside.fr/

The legitimate page can be found at : https://zimbra.free.fr/ or https://webmail.free.fr/

[orbotimn75]

Phishing :

https://free-mob215478.hubside.fr/
https://008567.hubside.fr/
https://15484548.hubside.fr/

The legitimate page can be found at : https://zimbra.free.fr/ or https://webmail.free.fr/

[orbotimn75]

Phishing :

https://zimbrafree-fr.hubside.fr/
https://servicefree2.hubside.fr/

The legitimate page can be found at : https://zimbra.free.fr/ or https://webmail.free.fr/

[ItsProfessional]

These phishing sites for free.fr are being created very frequently; keep the issue open.

[orbotimn75]

Phishing :

• shortlink https://appurl.io/X_lcGTO-5z redirect to https://web-free.hubside.fr/

• https://zimbra-free-com.hubside.fr/

The legitimate page can be found at : https://zimbra.free.fr/ or https://webmail.free.fr/

[orbotimn75]

phishing site :

https://free-mobi20i2582.hubside.fr/
https://zimbra-free-email.hubside.fr/
https://freezimbra.hubside.fr/

The legitimate page can be found at : https://zimbra.free.fr/ or https://webmail.free.fr/ or https://mobile.free.fr/

[JobcenterTycoon]

Do you work for free.fr and from where do you get all the domains?

[orbotimn75]

Yes i work for free.fr, these are users and subscribers free.fr who sends us the phishing emails received . You can see an example below :

INFO MAIL

Cher Utilisateur Zimbra,

Zimbra vous informe de la désactivation de votre compte conformément aux règlements si vous ne confirmez pas votre identifiant.
Car passé la date du Lundi 1 Avril 2024 votre compte sera verrouillé.

Identifiez-vous en cliquant sur le bouton ci-dessous:

Réactiver mon compte
Merci de votre confiance

[orbotimn75]

phishing :

shortlink https://appurl.io/kJA_ItlhkW redirect to https://web0mail.hubside.fr/

[orbotimn75]

Phishing : https://free-mobile0021547.hubside.fr/

The legitimate page can be found at : https://zimbra.free.fr/ or https://webmail.free.fr/

[orbotimn75]

New phishing sites from domain hubside.fr/

https://free-information.hubside.fr/
https://mobiles.hubside.fr/
https://freemailzimbra.hubside.fr/
https://rivita3106felibgcom.hubside.fr/
https://info-free.hubside.fr/
https://emails-free.hubside.fr/

The legitimate page can be found at : https://zimbra.free.fr/ or https://webmail.free.fr/

[orbotimn75]

New phishing sites from domain hubside.fr/

https://freema.hubside.fr/

https://free-zimbra.hubside.fr/

https://free-mobile1540478.hubside.fr/

https://freewebzim.hubside.fr/

http://acceder-a-mon-free.hubside.fr/

The legitimate page can be found at : https://zimbra.free.fr/ or https://webmail.free.fr/ https://subscribe.free.fr/login/

[orbotimn75]

phishing site from domain hubside.fr/

https://my-acount-free.hubside.fr/

The legitimate page can be found at : https://zimbra.free.fr/ or https://webmail.free.fr/ https://subscribe.free.fr/login/