WIPO Arbitration and Mediation Center
ADMINISTRATIVE PANEL DECISION
Sodexo v. WhoisGuard Protected, WhoisGuard, Inc. / Gabriella Garlo
Case No. D2020-2706
1. The Parties
The Complainant is Sodexo, France, represented by Areopage, France.
The Respondent is WhoisGuard Protected, WhoisGuard, Inc, Panama, / Gabriella Garlo, Brazil.
2. The Domain Name and Registrar
The disputed domain name <sodexo.careers> is registered with NameCheap, Inc. (the “Registrar”).
3. Procedural History
The Complaint was filed with the WIPO Arbitration and Mediation Center (the “Center”) on October 15, 2020. On October 16, 2020, the Center transmitted by email to the Registrar a request for registrar verification in connection with the disputed domain name. On October 16, 2020, the Registrar transmitted by email to the Center its verification response disclosing registrant and contact information for the disputed domain name which differed from the named Respondent and contact information in the Complaint. The Center sent an email communication to the Complainant on October 20, 2020, providing the registrant and contact information disclosed by the Registrar, and inviting the Complainant to submit an amendment to the Complaint. The Complainant filed an amended Complaint on October 21, 2020.
The Center verified that the Complaint together with the amended Complaint satisfied the formal requirements of the Uniform Domain Name Dispute Resolution Policy (the “Policy” or “UDRP”), the Rules for Uniform Domain Name Dispute Resolution Policy (the “Rules”), and the WIPO Supplemental Rules for Uniform Domain Name Dispute Resolution Policy (the “Supplemental Rules”).
In accordance with the Rules, paragraphs 2 and 4, the Center formally notified the Respondent of the Complaint, and the proceedings commenced on November 2, 2020. In accordance with the Rules, paragraph 5, the due date for Response was November 22, 2020. The Respondent did not submit any response. Accordingly, the Center notified the Respondent’s default on December 15, 2020.
The Center appointed Dr. Clive N.A. Trotman as the sole panelist in this matter on December 21, 2020. The Panel finds that it was properly constituted. The Panel has submitted the Statement of Acceptance and Declaration of Impartiality and Independence, as required by the Center to ensure compliance with the Rules, paragraph 7.
4. Factual Background
The Complainant is a French company founded originally under the name Sodexho Alliance in 1966, which was changed to Sodexo in 2008. The Complainant specialises in foodservices and facilities management. Its scale is illustrated by having 470,000 employees serving 100 million consumers in 67 countries, with a total revenue in the 2019 financial year of some EUR 22 billion.
The Complainant holds registered trademarks in 67 countries world-wide for SODEXO, either as a text word mark, or stylised, or in combination with other words. The following trademarks are representative for the purposes of the present proceeding:
SODEXO, stylised, International Trademark, registered January 8, 2008, registration number 964615, in classes 9, 16, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44 and 45;
SODEXO, stylised, Brazil, registered March 17, 2015, registration number 829531874, in class 9 (with simultaneous trademark registrations in classes 9, 16, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44 and 45);
SODEXO, with design, Panama, registered December 12, 2007, registration number 167186-01, in class 9.
The Complainant also owns and uses for promotional purposes a number of domain names incorporating its trademarks including particularly <sodexo.com>, <uk.sodexo.com>, <sodexoprestige.co.uk>, <sodexo.fr>, <sodexoca.com>, <sodexousa.com>, <cn.sodexo.com>, <sodexho.fr>, and <sodexho.com>.
No background information is available about the Respondent except for such contact details as were provided for the purposes of registration of the disputed domain name on September 23, 2020. The disputed domain name has been used to redirect Internet users to a webpage engineered to freeze the user’s computer, with a demand to call a telephone number within five minutes to prevent the computer from being disabled.
5. Parties’ Contentions
The Complainant contends that it has been the owner of numerous registered trademarks for SODEXO worldwide since 2008 and that it is well known internationally. The Complainant says the disputed domain name <sodexo.careers> comprises its registered trademark with the addition of the generic Top-Level Domain (“gTLD”) “.careers”, and is therefore identical or confusingly similar to the Complainant’s trademark.
The Complainant further contends that the Respondent has no rights or legitimate interests in respect of the disputed domain name. The Respondent does not have any affiliation or other connection with the Complainant and has not been permitted in any way by the Complainant to register or use the disputed domain name.
The Complainant also contends that the disputed domain name was registered and is being used in bad faith. The trademark SODEXO is an invented word so well known internationally that the Respondent most likely had actual knowledge of the trademark at the time of registration of the disputed domain name, indicating registration in bad faith. The Respondent has intended to create confusion with the Complainant’s trademark in order to mislead third parties for some purpose profitable to the Respondent.
The Complainant says the disputed domain name appears to be in use for the purpose of disseminating malicious code, or malware. An attempt to visit the website of the disputed domain name has led to a notice being displayed on the visitor’s computer screen. The notice, in French, purported to be a Windows operating system warning to the effect that the computer had been disable by some unspecified infection and that unless a particular telephone number was called within five minutes, extensive and sensitive data could be compromised. At the same time, the computer was rendered uncontrollable, by a malicious technique known as mouse-trapping, and the notice could not be removed. When the requested telephone number was called, the operator tried to get the computer user to insert a code that would have given control of the computer to the telephone operator.
The Complainant says its reputation would be tarnished if visitors wishing to contact the Complainant were compromised by the malicious website instead, amounting to bad faith on the part of the Respondent.
The Complainant submits that the Respondent’s use of a privacy service to conceal its identity, until divulged by the Registrar for the purposes of this proceeding, is further indicative of the Respondent’s bad faith in the circumstances.
The Complainant has cited previous cases under the Policy that it considers supportive of its position.
The Complainant requests the transfer of the disputed domain name.
The Respondent did not reply to the Complainant’s contentions.
6. Discussion and Findings
Paragraph 4(a) of the Policy states that the Respondent is required to submit to a mandatory administrative proceeding in the event that the Complainant asserts to the applicable dispute-resolution provider, in compliance with the Rules, that:
“(i) your domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights; and
(ii) you have no rights or legitimate interests in respect of the domain name; and
(iii) your domain name has been registered and is being used in bad faith”.
The Complainant has made the relevant assertions as required by the Policy. The dispute is properly within the scope of the Policy and the Panel has jurisdiction to decide the dispute.
A. Identical or Confusingly Similar
The Panel has perused the trademark documentation produced by the Complainant and is satisfied that the Complainant has rights in the trademark SODEXO as required under paragraph 4(a)(i) of the Policy.
In order to establish identity or confusing similarity between a disputed domain name and a trademark under paragraph 4(a)(i) of the Policy, only an objective comparison is required. Considerations such as the relative registration dates, and the reputation attaching to the Complainant’s trademark, if in issue, are considered later. The disputed domain name is <sodexo.careers>, of which the gTLD “.careers” need not necessarily be taken into account in the assessment of confusing similarity. The operative element of the disputed domain name, “sodexo”, is found to be identical to the Complainant’s trademark, typographical case being inconsequential for domain name purposes. Accordingly the Panel finds for the Complainant under paragraph 4(a)(i) of the Policy.
B. Rights or Legitimate Interests
The Complainant has stated a prima facie case to the effect that it does not have any relationship with the Respondent, and that the Respondent has no rights or legitimate interests in respect of the disputed domain name.
Paragraph 4(c) of the Policy provides for the Respondent to contest the Complainant’s prima facie case under paragraph 4(a)(ii) of the Policy and to establish rights or legitimate interests in a disputed domain name by demonstrating, without limitation:
“(i) before any notice to you of the dispute, your use of, or demonstrable preparations to use, the domain name or a name corresponding to the domain name in connection with a bona fide offering of goods or services; or
(ii) you (as an individual, business, or other organization) have been commonly known by the domain name, even if you have acquired no trademark or service mark rights; or
(iii) you are making a legitimate noncommercial or fair use of the domain name, without intent for commercial gain to misleadingly divert consumers or to tarnish the trademark or service mark at issue”.
The Respondent has made no reply and has not asserted rights or legitimate interests in the disputed domain name in the terms of paragraphs 4(c)(i), (ii) or (iii) of the Policy, or otherwise.
The Panel finds that the Respondent does not have rights or legitimate interests in the disputed domain name and finds for the Complainant under paragraph 4(a)(ii) of the Policy.
C. Registered and Used in Bad Faith
The Complainant must prove under paragraph 4(a)(iii) of the Policy that the disputed domain name has been registered and is being used in bad faith. Paragraph 4(b) of the Policy lists four alternative circumstances that shall be evidence of the registration and use of a domain name in bad faith by a respondent, namely:
“(i) circumstances indicating that you have registered or you have acquired the domain name primarily for the purpose of selling, renting, or otherwise transferring the domain name registration to the complainant who is the owner of the trademark or service mark or to a competitor of that complainant, for valuable consideration in excess of your documented out-of-pocket costs directly related to the domain name; or
(ii) you have registered the domain name in order to prevent the owner of the trademark or service mark from reflecting the mark in a corresponding domain name, provided that you have engaged in a pattern of such conduct; or
(iii) you have registered the domain name primarily for the purpose of disrupting the business of a competitor; or
(iv) by using the domain name, you have intentionally attempted to attract, for commercial gain, Internet users to your web site or other on-line location, by creating a likelihood of confusion with the complainant’s mark as to the source, sponsorship, affiliation, or endorsement of your website or location or of a product or service on your website or location”.
The provisions of paragraph 4(b) of the Policy are without limitation and bad faith may be found alternatively by the Panel.
The Complainant has produced evidence in the form of a screen capture showing that the disputed domain name resolved at that time to a website with a “.php” extension that caused malicious code to be sent to the user’s computer, preventing the mouse or keyboard from functioning, known as mouse-trapping, and effectively locking the computer. A notice appeared on the screen dressed up to appear to be an official notification, bearing the Windows operating system logo, that the computer had been infected. The notice was in French, and the Complainant has provided an uncontested translation. The translated notice stated that various important categories of data “can be compromised: 1. Password 2. Browser history 3. Sensitive information (Credit cards) 4. Files on the hard drive”. The notice said, among other things, “Contact us immediately so that our engineers will guide you through the removal process, by phone. Please call us within the next 5 minutes to prevent your computer from being disabled”. A telephone number was provided, said to be free to call.
The notice contained no mention of payment for unlocking the computer, but is easily recognised as ransomware to which personal computers running under Windows are among those vulnerable. Ransomware comes in various forms, one of which is to induce the computer user to call a telephone number and accept a code that allows the telephone operator to take control of the computer, under the guise of unlocking it, and malicious code is then installed to spy on the user and obtain commercially valuable information such as bank and credit card numbers. That appears to have been the intention in the present instance. Another form of ransomware is for the computer user to have to call a telephone number that connects to a premium-rate number for which the caller’s line is charged a fee per minute, to the benefit of the fraudster, and the caller may be placed on hold for an extended time. Or the computer user may have to send cryptocurrency to an untraceable account in order to receive an unlock code.
On the evidence, it may reasonably be concluded that the purported Windows notice was fake and was delivered together with the malicious code that locked the user’s computer. It is inherently unlikely that the Respondent has gone to the considerable trouble and cost of setting up this operation, with the associated telephone number and operator, and if it existed, any purported provision of guidance for unlocking peoples’ computers, for any other purpose than eventual commercial gain.
It is not necessary to know how the commercial gain was to be achieved in this instance, whether by spying on the computer user’s financial or personal information, by the premium-rate device, by charging to unlock the computer, or by other means. On the totality of the evidence and on the balance of probabilities, it may reasonably be concluded in the terms of paragraph 4(b)(iv) of the Policy that the Respondent has used the disputed domain name, which has been found to be confusingly similar to the Complainant’s well known registered trademark, with intent to attract Internet users to an online location, by confusion as to its source, for commercial gain. Accordingly the Panel finds registration and use of the disputed domain name to have been in bad faith by the Respondent in the terms of paragraph 4(a)(iii) of the Policy.
For the foregoing reasons, in accordance with paragraphs 4(i) of the Policy and 15 of the Rules, the Panel orders that the disputed domain name <sodexo.careers> be transferred to the Complainant.
Dr. Clive N.A. Trotman
Date: January 4, 2021