KFC and McDonald's customers have been targeted in phishing campaigns in Saudi Arabia, the United Arab Emirates and Singapore, with the attackers stealing bank details from some of the victims.
Security researchers at CloudSEK noticed that one of these campaigns was running through a domain posing as the Google Play Store and displaying a malicious Chrome browser app.
When clicking on a malicious URL, the user is taken to a fake Google Play page with the "KFC Saudi Arabia 4+" application.
Once installed, a shortcut to the application is created in the Chrome browser. When launched, KFC Saudi Arabia 4+ opens a Chrome application window that loads a malicious site that is not currently running.
CloudSEK experts also discovered a second phishing website targeting KFC customers. When a victim tries to checkout on a phishing site, a pop-up window appears to fill in the user's details.
The reviewers noted that the form was well designed as it prompted the user to enter a location using the Google Maps API. In addition, the phishing site only accepted payment card details that satisfied Luhn's algorithm to ensure that the card details were valid.
After sending the card data, the user had to enter a one-time password received via SMS. After entering the password, the victim was taken to another site imitating McDonald's.
Using Passive DNS and Reverse IP Lookup, CloudSEK researchers discovered additional domains hosted on servers used by the phishing site.
The newsletter also encourages companies to identify and report impersonating domains and run awareness campaigns to inform customers about the organization's processes.
Comments 0