- KFC and McDonald’s targeted via phishing campaigns.
- Campaigns aimed at the Saudi Arabia, UAE, and Singapore regions.
- Payment details compromised.
- Stolen payment information could lead to financial loss.
- Loss of reputation for the brands being impersonated.
- Be vigilant while providing PII and banking information.
- Identify and report fake domains.
Analysis and Attribution
Information from XVigil
- CloudSEK’s contextual AI digital risk platform XVigil discovered a domain impersonating the Google Play Store and displaying an app named KFC Saudi Arabia 4+.
- This app is not for android phones, but is a browser-based application for Chrome.
- Once the user clicks on the download button, the text on the button changes to “Install”.
- Clicking the “Install” button prompts the user to install the browser application KFC Saudi Arabia 4+.
- After installation, a desktop shortcut for the same application is created on the user’s desktop.
- Double-Clicking the KFC Saudi Arabia 4+ app opens a chrome application window, which loads the site sa[.]kfc-deliver[.]site, which seems to be down at the time of analysis.
- Google Safe Browsing detected sa[.]kfc-deliver[.]site as a phishing website. (For more information, please refer the Appendix section)
[caption id="attachment_20885" align="alignnone" width="1372"]
Mind-Map diagram explaining the phishing campaign[/caption]
Information from OSINT
- Upon further investigation, another website pointing to KFC was discovered: kfc-singapore[.]fun.
- This site is a sophisticated and elaborate phishing campaign being used to steal the card details of the victims.
[caption id="attachment_20886" align="alignnone" width="1410"]
Screenshot of the second phishing website: kfc-singapore[.]fun[/caption]
- When the victim tries to place an order on the phishing site, they are presented with a pop-up window to fill in their details in the form.
- The form is well designed and provides users with suggestions while filling up their address using Google Maps API.
- The site was only accepting payment card details that satisfied the Luhn algorithm to validate that the cards being submitted were valid.
- After submitting the card details, the victim was prompted to provide the One Time Password (OTP) received on SMS.
- After entering the OTP, the victim is taken to another website impersonating McDonald's, mac-delivery-sau-50-deal[.]top. At the time of writing, the site was inactive.
Also Read Cloudflare Pages Misused in a Phishing Campaign Against Indian Banking Customers
Using Passive DNS and reverse IP lookups, CloudSEK’s Researchers discovered similar domains hosted on the servers that were used by the site impersonating KFC: sa[.]kfc-deliver[.]site
[caption id="attachment_20887" align="aligncenter" width="999"]
DNS Information for kfc-deliver[.]site[/caption]
- Using Passive DNS information for the site: mac-delivery-sau-50-deal[.]top, CloudSEK’s researchers discovered that the phishing website was active around July 2021.
- The following domains impersonating McDonald’s were discovered that were hosted on the same web server during the same time period.
Impact & Mitigation
- Compromised payment card information can lead to financial loss.
- Data collected can be sold on the dark web for monetary gain.
- Loss of revenue and reputation of the brands being impersonated.
- The PII and card detail shared by the victims can be exploited to conduct:
- Social engineering attacks
- Banking frauds
- Identity thefts
- Users should be vigilant while visiting sites and submitting their PII and banking information.
- Identify and report domains impersonating brand names and trademarks.
- Create an inclusive awareness campaign to educate customers about the organization’s processes.
- Create awareness among customers regarding malicious URLs.
[caption id="attachment_20888" align="alignnone" width="1372"]
Google Play Store displaying an app named KFC Saudi Arabia 4+[/caption]
[caption id="attachment_20889" align="alignnone" width="1240"]
KFC Saudi Arabia 4+ application installed in Chrome Browser[/caption]
[caption id="attachment_20890" align="alignnone" width="1082"]
Site being detected by Google Safe Browsing as a phishing site[/caption]
[caption id="attachment_20891" align="alignnone" width="1051"]
Kfc-singapore[.]fun site providing address suggestions using Google Maps API[/caption]
[caption id="attachment_20892" align="alignnone" width="1032"]
Kfc-singapore[.]fun site only accepting valid payment card details[/caption]
[caption id="attachment_20893" align="alignnone" width="632"]
OTP confirmation message on the kfc-singapore[.]fun site[/caption]