|Category: Adversary Intelligence||Industry: Service Sector||Motivation: Financial||Region: Global||Source*: A2|
- CloudSEK’s contextual AI digital risk platform XVigil discovered a domain impersonating the Google Play Store and displaying an app named KFC Saudi Arabia 4+.
- This app is not for android phones, but is a browser-based application for Chrome.
- Once the user clicks on the download button, the text on the button changes to “Install”.
- Clicking the “Install” button prompts the user to install the browser application KFC Saudi Arabia 4+.
- After installation, a desktop shortcut for the same application is created on the user’s desktop.
- Double-Clicking the KFC Saudi Arabia 4+ app opens a chrome application window, which loads the site sa[.]kfc-deliver[.]site, which seems to be down at the time of analysis.
- Google Safe Browsing detected sa[.]kfc-deliver[.]site as a phishing website. (For more information, please refer the Appendix section)
- Upon further investigation, another website pointing to KFC was discovered: kfc-singapore[.]fun.
- This site is a sophisticated and elaborate phishing campaign being used to steal the card details of the victims.
- When the victim tries to place an order on the phishing site, they are presented with a pop-up window to fill in their details in the form.
- The form is well designed and provides users with suggestions while filling up their address using Google Maps API.
- The site was only accepting payment card details that satisfied the Luhn algorithm to validate that the cards being submitted were valid.
- After submitting the card details, the victim was prompted to provide the One Time Password (OTP) received on SMS.
- After entering the OTP, the victim is taken to another website impersonating McDonald's, mac-delivery-sau-50-deal[.]top. At the time of writing, the site was inactive.
- Using Passive DNS information for the site: mac-delivery-sau-50-deal[.]top, CloudSEK’s researchers discovered that the phishing website was active around July 2021.
- The following domains impersonating McDonald’s were discovered that were hosted on the same web server during the same time period.