Category: Adversary Intelligence	Industry: Service Sector	Motivation: Financial	Region: Global	Source*: A2

Executive Summary

THREAT	IMPACT	MITIGATION
KFC and McDonald’s targeted via phishing campaigns. Campaigns aimed at the Saudi Arabia, UAE, and Singapore regions. Payment details compromised.	Stolen payment information could lead to financial loss. Loss of reputation for the brands being impersonated.	Be vigilant while providing PII and banking information. Identify and report fake domains.

Analysis and Attribution

Information from XVigil

• CloudSEK’s contextual AI digital risk platform XVigil discovered a domain impersonating the Google Play Store and displaying an app named KFC Saudi Arabia 4+.
• This app is not for android phones, but is a browser-based application for Chrome.
• Once the user clicks on the download button, the text on the button changes to “Install”.
• Clicking the “Install” button prompts the user to install the browser application KFC Saudi Arabia 4+.
• After installation, a desktop shortcut for the same application is created on the user’s desktop.
• Double-Clicking the KFC Saudi Arabia 4+ app opens a chrome application window, which loads the site sa[.]kfc-deliver[.]site, which seems to be down at the time of analysis.
• Google Safe Browsing detected sa[.]kfc-deliver[.]site as a phishing website. (For more information, please refer the Appendix section)

[caption id="attachment_20885" align="alignnone" width="1372"] Mind-Map diagram explaining the phishing campaign[/caption]  

Information from OSINT

• Upon further investigation, another website pointing to KFC was discovered: kfc-singapore[.]fun.
• This site is a sophisticated and elaborate phishing campaign being used to steal the card details of the victims.

[caption id="attachment_20886" align="alignnone" width="1410"] Screenshot of the second phishing website: kfc-singapore[.]fun[/caption] 

• When the victim tries to place an order on the phishing site, they are presented with a pop-up window to fill in their details in the form.
• The form is well designed and provides users with suggestions while filling up their address using Google Maps API.
• The site was only accepting payment card details that satisfied the Luhn algorithm to validate that the cards being submitted were valid.
• After submitting the card details, the victim was prompted to provide the One Time Password (OTP) received on SMS.
• After entering the OTP, the victim is taken to another website impersonating McDonald's, mac-delivery-sau-50-deal[.]top. At the time of writing, the site was inactive.

Also Read Cloudflare Pages Misused in a Phishing Campaign Against Indian Banking Customers

Further Investigation

KFC

Using Passive DNS and reverse IP lookups, CloudSEK’s Researchers discovered similar domains hosted on the servers that were used by the site impersonating KFC: sa[.]kfc-deliver[.]site. [caption id="attachment_20887" align="aligncenter" width="999"] DNS Information for kfc-deliver[.]site[/caption]

McDonald's

• Using Passive DNS information for the site: mac-delivery-sau-50-deal[.]top, CloudSEK’s researchers discovered that the phishing website was active around July 2021.
• The following domains impersonating McDonald’s were discovered that were hosted on the same web server during the same time period.

mcdelivery-hkg[.]top	mcdelivery-sale[.]top	mcdelivery-ae-sale[.]top
mcdelivery-isr[.]top	mcdelivery-ae-com[.]top	sau-mcdelivery[.]top
isr-mcdelivery[.]top	mcdelivery-sau[.]top	mcdelivery-ch[.]top
mcdelivery-sau-deal[.]top	mac-delivery-sau[.]top	mcdelivery-deu[.]top
mac-delivery-sau-50-deal[.]top	mc-delivery-deal[.]top	mcdelivery-ae-deal[.]top
mac-delivery-sau-deal[.]top	mac-delivery-com[.]top	mcdelivery-ae[.]top
mac-delivery-sale[.]top	mac-delivery-ads-sale[.]top

Impact & Mitigation

Impact	Mitigation
Compromised payment card information can lead to financial loss. Data collected can be sold on the dark web for monetary gain. Loss of revenue and reputation of the brands being impersonated. The PII and card detail shared by the victims can be exploited to conduct: Social engineering attacks Banking frauds Identity thefts	Users should be vigilant while visiting sites and submitting their PII and banking information. Identify and report domains impersonating brand names and trademarks. Create an inclusive awareness campaign to educate customers about the organization’s processes. Create awareness among customers regarding malicious URLs.

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia

Appendix

[caption id="attachment_20888" align="alignnone" width="1372"] Google Play Store displaying an app named KFC Saudi Arabia 4+[/caption]   [caption id="attachment_20889" align="alignnone" width="1240"] KFC Saudi Arabia 4+ application installed in Chrome Browser[/caption]   [caption id="attachment_20890" align="alignnone" width="1082"] Site being detected by Google Safe Browsing as a phishing site[/caption]   [caption id="attachment_20891" align="alignnone" width="1051"] Kfc-singapore[.]fun site providing address suggestions using Google Maps API[/caption]  [caption id="attachment_20892" align="alignnone" width="1032"] Kfc-singapore[.]fun site only accepting valid payment card details[/caption]  [caption id="attachment_20893" align="alignnone" width="632"] OTP confirmation message on the kfc-singapore[.]fun site[/caption]