Phishing Campaigns Targeting KFC and McDonald’s

Summary

KFC and McDonald’s were targeted via phishing campaigns. Campaigns aimed at the Saudi Arabia, UAE, and Singapore regions. Payment details has also been compromised.
Category: Adversary Intelligence Industry: Service Sector Motivation: Financial Region: Global Source*: A2

Executive Summary

THREAT IMPACT MITIGATION
  • KFC and McDonald’s targeted via phishing campaigns.
  • Campaigns aimed at the Saudi Arabia, UAE, and Singapore regions.
  • Payment details compromised.
  • Stolen payment information could lead to financial loss.
  • Loss of reputation for the brands being impersonated.
  • Be vigilant while providing PII and banking information.
  • Identify and report fake domains.

Analysis and Attribution

Information from XVigil

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a domain impersonating the Google Play Store and displaying an app named KFC Saudi Arabia 4+.
  • This app is not for android phones, but is a browser-based application for Chrome.
  • Once the user clicks on the download button, the text on the button changes to “Install”.
  • Clicking the “Install” button prompts the user to install the browser application KFC Saudi Arabia 4+.
  • After installation, a desktop shortcut for the same application is created on the user’s desktop.
  • Double-Clicking the KFC Saudi Arabia 4+ app opens a chrome application window, which loads the site sa[.]kfc-deliver[.]site, which seems to be down at the time of analysis.
  • Google Safe Browsing detected sa[.]kfc-deliver[.]site as a phishing website. (For more information, please refer the Appendix section)
Mind-Map diagram explaining the phishing campaign
Mind-Map diagram explaining the phishing campaign
 

Information from OSINT

  • Upon further investigation, another website pointing to KFC was discovered: kfc-singapore[.]fun.
  • This site is a sophisticated and elaborate phishing campaign being used to steal the card details of the victims.
Screenshot of the second phishing website: kfc-singapore[.]fun
Screenshot of the second phishing website: kfc-singapore[.]fun
 
  • When the victim tries to place an order on the phishing site, they are presented with a pop-up window to fill in their details in the form.
  • The form is well designed and provides users with suggestions while filling up their address using Google Maps API.
  • The site was only accepting payment card details that satisfied the Luhn algorithm to validate that the cards being submitted were valid.
  • After submitting the card details, the victim was prompted to provide the One Time Password (OTP) received on SMS.
  • After entering the OTP, the victim is taken to another website impersonating McDonald's, mac-delivery-sau-50-deal[.]top. At the time of writing, the site was inactive.
Also Read Cloudflare Pages Misused in a Phishing Campaign Against Indian Banking Customers

Further Investigation

KFC

Using Passive DNS and reverse IP lookups, CloudSEK’s Researchers discovered similar domains hosted on the servers that were used by the site impersonating KFC: sa[.]kfc-deliver[.]site.
DNS Information for kfc-deliver[.]site
DNS Information for kfc-deliver[.]site

McDonald's

  • Using Passive DNS information for the site: mac-delivery-sau-50-deal[.]top, CloudSEK’s researchers discovered that the phishing website was active around July 2021.
  • The following domains impersonating McDonald’s were discovered that were hosted on the same web server during the same time period.
mcdelivery-hkg[.]top mcdelivery-sale[.]top mcdelivery-ae-sale[.]top
mcdelivery-isr[.]top mcdelivery-ae-com[.]top sau-mcdelivery[.]top
isr-mcdelivery[.]top mcdelivery-sau[.]top mcdelivery-ch[.]top
mcdelivery-sau-deal[.]top mac-delivery-sau[.]top mcdelivery-deu[.]top
mac-delivery-sau-50-deal[.]top mc-delivery-deal[.]top mcdelivery-ae-deal[.]top
mac-delivery-sau-deal[.]top mac-delivery-com[.]top mcdelivery-ae[.]top
mac-delivery-sale[.]top mac-delivery-ads-sale[.]top

Impact & Mitigation

Impact Mitigation
  • Compromised payment card information can lead to financial loss.
  • Data collected can be sold on the dark web for monetary gain.
  • Loss of revenue and reputation of the brands being impersonated.
  • The PII and card detail shared by the victims can be exploited to conduct:
    • Social engineering attacks
    • Banking frauds
    • Identity thefts
  • Users should be vigilant while visiting sites and submitting their PII and banking information.
  • Identify and report domains impersonating brand names and trademarks.
  • Create an inclusive awareness campaign to educate customers about the organization’s processes.
  • Create awareness among customers regarding malicious URLs.

References

Appendix

Google Play Store displaying an app named KFC Saudi Arabia 4+
Google Play Store displaying an app named KFC Saudi Arabia 4+
 
KFC Saudi Arabia 4+ application installed in Chrome Browser
KFC Saudi Arabia 4+ application installed in Chrome Browser
 
Site being detected by Google Safe Browsing as a phishing site
Site being detected by Google Safe Browsing as a phishing site
 
Kfc-singapore[.]fun site providing address suggestions using Google Maps API
Kfc-singapore[.]fun site providing address suggestions using Google Maps API
 
Kfc-singapore[.]fun site only accepting valid payment card details
Kfc-singapore[.]fun site only accepting valid payment card details
 
OTP confirmation message on the kfc-singapore[.]fun site
OTP confirmation message on the kfc-singapore[.]fun site
   

Table of Contents

Request an easy and customized demo for free