Scammers don’t take the summer off – be on your guard when buying your Crit’Air sticker.
If you drive your own vehicle in certain regions of France at certain times, you will need to purchase a special ‘clean air sticker’ called Crit’Air or risk facing a fine from the French government. Similar schemes already exist in the UK with the low emission zone in central London, and the sticker to prove you have paid is considerably less than the fine.
A quick Google search will show you the site that supplies Crit’Air stickers, as well as many other sites with guidance the stickers are required for all vehicles entering selected regions of France. Once you have located the official website, it is initially in French but you can see the English and German versions at the hit of a button and then start filling the form out.
Now, this website is not illicit – quite the opposite. Indeed, the problem isn’t the official website; it’s the fact that it’s extremely easy to create an impostor site and heavily promote it and, using some clever SEO tactics, possibly even push it up the Google rankings. In fact, the threat is not purely theoretical and multiple people have reported being ripped off when buying their Crit’Air vignettes from sites that claimed to represent the French government [1, 2, 3, 4].
Compounding things further, the amount of data that the legitimate website requests is rather a lot to give, especially to a site that you may have never heard of, and may be in another language at that.
Holiday makers who are in a hurry to fill out a new form and with few places to check its authenticity could eventually lose their money or data. Scammers could cleverly use this tactic especially when people may think of the vignette as a minor, but necessary, annoyance before setting off on their holiday.
Beware the copycats
The genuine website even states:
You can be sure that you are on the official site if the ministry’s logo is displayed and the site address ends in .gouv.fr.
Beware of intermediaries and fraudulent sites.
But since when did that stop any cybercriminal from copying the logo and changing the wording to match any prefix they choose on the fake? Or use domain names of the form www.certificat-air.gouv.fr.example.com or URLs of the form example.com/www.certificat-air.gouv.fr that rely on less than careful checking by people with less-than-perfect knowledge? Or just remove that small piece of text from the copied site content?
In other words, as a scammer, you do not have to successfully trick every possible victim for your site to successfully make you some quick, and almost free, money. Also, sensitive information is often sold on the dark web and other illicit channels and you should also be aware of secondary phishing email attacks should you have filled in a potentially fraudulent form.
Again, the problem doesn’t lie with the Crit’Air website; it is the fact that cybercriminals continue to copy genuine sites and direct people to fraudulent sites in order to steal their valuable and personal data from right under their fingertips. Furthermore, without knowing it is a scam, people could still be liable for a fine without purchasing the legitimate sticker to drive in France.
How to get your Crit’Air sticker safely
As cybercriminals will pounce on any given opportunity to steal data and money, you need to be very careful before submitting your personal and financial information on any website, doubly so if you visit a website for the first time. In this particular case, it’s probably best to type the URL in by hand, and make sure you type it correctly: certificat-air.gouv.fr.
That should keep you protected. Happy holidaying!
by Jake Moore, ESET