Phishing campaigns target McDonalds
KFC and McDonald’s customers were targeted via phishing campaigns across Saudi Arabia, UAE and Singapore, with payment details of some of them successfully stolen by attackers.
Spotted by security researchers at CloudSEK, the first of these campaigns worked via a domain impersonating the Google Play Store and displaying a malicious, browser–based application for Chrome.
Researchers Identify 3 Hacktivist Groups Supporting Russian Interests
Upon landing on the malicious URL and clicking on the download button, the text on the button changes to ‘Install,’ which in turn prompts the user to install the browser application ‘KFC Saudi Arabia 4+.’
“After installation, a desktop shortcut for the same application is created on the user’s desktop,” CloudSEK wrote in an advisory published over the weekend.
“Double–Clicking the KFC Saudi Arabia 4+ app opens a chrome application window, which loads the site […], which seems to be down at the time of analysis.”
Further, the team also discovered a second website pointing to KFC–focused phishing.
“This site is a sophisticated and elaborate phishing campaign being used to steal the card details of the victims,” CloudSEK wrote.
“When the victim tries to place an order on the phishing site, they are presented with a pop–up window to fill in their details in the form.”
According to the advisory, the form was well–designed, providing users with suggestions while filling up their addresses using the Google Maps API. Further, the site only accepted payment card details that satisfied the Luhn algorithm to ensure that the cards being submitted were valid.
“After submitting the card details, the victim was prompted to provide the One Time Password (OTP) received on SMS,” reads the CloudSEK technical write–up.
“After entering the OTP, the victim is taken to another website impersonating McDonald’s, […] At the time of writing, the site was inactive.”
Using Passive DNS and reverse IP lookups, CloudSEK’s researchers discovered additional domains hosted on the servers used by the site impersonating KFC and McDonald’s.
“Users should be vigilant while visiting sites and submitting their PII and banking information,” CloudSEK warned.
Phishing campaigns target McDonalds