Security researchers at CloudSEK have discovered phishing campaigns targeting KFC and McDonald’s customers across Saudi Arabia, UAE, and Singapore, in which the attackers successfully steal payment details.
The campaigns work via a domain impersonating the Google Play Store and displaying a malicious, browser–based application for Chrome. Upon landing on the malicious URL and clicking on the download button, the text on the button changes to ’Install,’ which in turn prompts the user to install the browser application ’KFC Saudi Arabia 4+.’
Following installation, the user’s desktop receives a desktop shortcut for the same program. According to an advisory from CloudSEK, double-clicking the KFC Saudi Arabia 4+ app launches a Chrome application window and loads the website.
Further, the team also discovered a second website pointing to KFC–focused phishing. This site is a sophisticated and elaborate phishing campaign used to steal the card details of the victims, CloudSEK wrote.
A pop-up window asking them to complete a form with their information appears when the victim attempts to place an order on the phishing website. The form was well-designed, the advisory claims, and gave users suggestions as they entered their addresses using the Google Maps API. Additionally, the website only accepted payment card information that complied with the Luhn algorithm to guarantee that the cards submitted were legitimate.
The victim was required to enter the One Time Password (OTP) they received via SMS after entering their card information. After entering the OTP, the victim is directed to another website that impersonates McDonald’s.
Researchers from CloudSEK found more domains hosted on the fake KFC and McDonald’s websites’ servers using passive DNS and reverse IP lookups. Users should exercise caution when visiting websites and providing PII and financial information, CloudSEK advised.
The advisory recommended that businesses create extensive awareness campaigns to inform customers of the company’s procedures and identify and report domains that mimic brand names and trademarks.
© 2025, Lyonsdown Limited. teiss® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543