She must connect, she says, this Saturday Paris to London by car. On Blablacar, Jana posted a carpool ad. “Is your route still available?” we ask him. In English, she tells us to contact her on Whatsapp and gives us a phone number with the UK area code. We exchange a few messages there and then she sends us a link leading to a site similar to that of Blablacar to which we must pay for our journey… The journey will never take place. And for good reason: Jana does not exist. The one behind it has the sole purpose of stealing money.
Valentin Hamon-Beugin, journalist at L’Usine nouvelle, was also (almost) taken in. In a long series of tweets, he recounted his misadventure on Friday, shared for several thousand times. “I had to go back to the north, but my train was canceled because of the storm, so I had to find a solution to replace it and I took a carpool,” he explains. He takes a train, “but it is cancelled”. The “driver” contacts him on Whatsapp: “She explains to me that Blablacar gave her a link so that I can still confirm the trip. I click, I open the link and I enter my information until payment…” It was then that he smelled the trap: the bank confirmation message asked him to confirm a payment… in Belarusian rouble.
Innocently, I click on the link, and there I come across a page that looks exactly like Blablacar. Innocently ( once more), I fill in the requested information, and I proceed to payment. I am then redirected to a page where I am asked for my credit card code pic.twitter.com/ZIX1LNGYUc
— Valentin Hamon–Beugin (@BeuginHamon) February 18, 2022
This is not the first time that such scams have been publicized. Already last November, many similar testimonies had been published and picked up by the media. “These are cases which remain rare and which we are able to detect and block quickly, as soon as suspicious behavior is detected or a member reports it to us”, relativizes this Saturday a spokesperson for Blablacar.
Near-perfect phishing
What’s really going on? A carpool ad is first posted on the Blablacar platform by a fake profile. The victim is interested in the trip, books it, but sees it canceled quickly… Blablacar’s system, as it is designed, however, allowed the pirate to recover the victim’s telephone number to contact him. Claiming the cancellation because of a technical problem on Blablacar’s side, the hacker sends a link to a site similar to that of the platform and the victim is invited to pay… She thinks she has paid for her carpool, but she is wrong: the site is only a copy and the money goes… to the pirate. This attempt at “phishing” (“phishing” in good French) is not uncommon on the Internet and many companies are confronted with it.
If Blablacar says “detect and block quickly” these fake profiles, however, it only took us a few minutes to find Jana. “Member” since February 2022, she has 10 published trips, but 0 reviews. It’s hard to know how many fake profiles are present on the platform, but a quick tour of Blablacar allowed us in a few minutes to identify almost a dozen profiles similar to Jana’s (one recent registration, no reviews and many journeys) for various routes.
Blablacar insists and calls on its users to “look at the profile of the carpooler or carpooler with whom you plan to travel” before booking. The platform also encourages you to “always book and pay directly” on its site. “If a driver asks you to pay via a link on WhatsApp, by SMS or elsewhere than on the Blablacar platform, it may be a phishing attempt: in this case, you must refuse and inform Blablacar”, explains the company. Faced with the high risk of being scammed, the carpooling platform has reinforced its messages regarding the “risks associated with payments outside the platform”.