A new phishing campaign was spotted by researchers targeting the customers of two fast food chains based in the United Arab Emirates, Singapore, and Saudi Arabia. Based on reports, the phishing operators stole some of the payment details of KFC and McDonald’s customers.
The initial campaign worked as a domain impersonating the Google Play Store and displayed a browser-based app for the Chrome browser. Once a target lands on the spoofed webpage, a text on a button at the centre of the page will change to “Install.” This button will prompt the user to install the browser application called KFC Saudi Arabia.
Subsequently, a desktop shortcut will appear for the same application on the target’s desktop. If a target double-clocks the app, it will open on a chrome application window that loads the site.
Furthermore, the researchers discovered a second site that redirects users to a domain focused on phishing. The site is a sophisticated phishing attack used by hackers to steal the payment card details of the visitor.
If a victim attempts to order on the fake fast food chains website, a pop-up window will show to fill in their credentials on the displayed form.
The threat actors devised a well-executed phishing campaign to target unaware users.
According to an analysis, the form used by threat actors for their phishing campaign was designed by its developers to deceive users. The app provided users with several suggestions while completing their addresses using Google Maps.
The site exclusively accepts payment card details that cater to the Luhn algorithm to guarantee that the used cards are authentic. The victims will then be prompted to give the OTP after submitting the payment card details.
After entering the One Time Password, the threat actors will take the victims to another website that impersonates Mcdonald’s.
Moreover, additional domains are hosted on the threat actors’ servers used by the site that impersonates McDonald’s and KFC using reverse IP lookups and Passive DNS.
The threat advisory also recommends that companies report these spoofed domains and trademarks. By reporting these entities, companies could spread awareness and educate customers about these illegal activities.
