Earlier this week, KFC and McDonald’s customers were targeted via phishing campaigns across Saudi Arabia, UAE and Singapore, with payment details of some of them successfully stolen by attackers.
Security researchers at CloudSEK were the first to spot that these campaigns worked via a domain impersonating the Google Play Store and displaying a malicious, browser–based application for Chrome.
They found that after landing on the malicious URL and clicking on the download button, the text on the button changes to ‘Install,’ which in turn prompts the user to install the browser application ‘KFC Saudi Arabia 4+.’
“After installation, a desktop shortcut for the same application is created on the user’s desktop,” CloudSEK wrote in an advisory published over the weekend.
“Double–Clicking the KFC Saudi Arabia 4+ app opens a chrome application window, which loads the site […], which seems to be down at the time of analysis.”
The team also discovered a second website pointing to KFC–focused phishing.
“This site is a sophisticated and elaborate phishing campaign being used to steal the card details of the victims,” CloudSEK wrote.
“When the victim tries to place an order on the phishing site, they are presented with a pop–up window to fill in their details in the form.”
The advisory has said that the form was well–designed, providing users with suggestions while filling up their addresses using the Google Maps API. Further, the site only accepted payment card details that satisfied the Luhn algorithm to ensure that the cards being submitted were valid.
“After submitting the card details, the victim was prompted to provide the One Time Password (OTP) received on SMS,” reads the CloudSEK technical write–up.
“After entering the OTP, the victim is taken to another website impersonating McDonald’s, […] At the time of writing, the site was inactive.”
Through using Passive DNS and reverse IP lookups, CloudSEK’s researchers discovered additional domains hosted on the servers used by the site impersonating KFC and McDonald’s.
“Users should be vigilant while visiting sites and submitting their PII and banking information,” CloudSEK warned.
In addition, the advisory also suggests companies identify and report domains impersonating brand names and trademarks and create inclusive awareness campaigns to educate customers about the organization’s processes.
In general it appears that threat actors are constantly evolving tactics, and that goes for phishing attempts as well. For instance, security researchers at Proofpoint have recently spotted phishing campaigns using Microsoft Sway.