Phishing Campaigns Targeting KFC and McDonald’s

KFC and McDonald’s were targeted via phishing campaigns. Campaigns aimed at the Saudi Arabia, UAE, and Singapore regions. Payment details has also been compromised.
Updated on
April 19, 2023
Published on
September 30, 2022
Subscribe to the latest industry news, threats and resources.
Category: Adversary Intelligence Industry: Service Sector Motivation: Financial Region: Global Source*: A2

Executive Summary

  • KFC and McDonald’s targeted via phishing campaigns.
  • Campaigns aimed at the Saudi Arabia, UAE, and Singapore regions.
  • Payment details compromised.
  • Stolen payment information could lead to financial loss.
  • Loss of reputation for the brands being impersonated.
  • Be vigilant while providing PII and banking information.
  • Identify and report fake domains.

Analysis and Attribution

Information from XVigil

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a domain impersonating the Google Play Store and displaying an app named KFC Saudi Arabia 4+.
  • This app is not for android phones, but is a browser-based application for Chrome.
  • Once the user clicks on the download button, the text on the button changes to “Install”.
  • Clicking the “Install” button prompts the user to install the browser application KFC Saudi Arabia 4+.
  • After installation, a desktop shortcut for the same application is created on the user’s desktop.
  • Double-Clicking the KFC Saudi Arabia 4+ app opens a chrome application window, which loads the site sa[.]kfc-deliver[.]site, which seems to be down at the time of analysis.
  • Google Safe Browsing detected sa[.]kfc-deliver[.]site as a phishing website. (For more information, please refer the Appendix section)
[caption id="attachment_20885" align="alignnone" width="1372"]Mind-Map diagram explaining the phishing campaign Mind-Map diagram explaining the phishing campaign[/caption]  

Information from OSINT

  • Upon further investigation, another website pointing to KFC was discovered: kfc-singapore[.]fun.
  • This site is a sophisticated and elaborate phishing campaign being used to steal the card details of the victims.
[caption id="attachment_20886" align="alignnone" width="1410"]Screenshot of the second phishing website: kfc-singapore[.]fun Screenshot of the second phishing website: kfc-singapore[.]fun[/caption] 
  • When the victim tries to place an order on the phishing site, they are presented with a pop-up window to fill in their details in the form.
  • The form is well designed and provides users with suggestions while filling up their address using Google Maps API.
  • The site was only accepting payment card details that satisfied the Luhn algorithm to validate that the cards being submitted were valid.
  • After submitting the card details, the victim was prompted to provide the One Time Password (OTP) received on SMS.
  • After entering the OTP, the victim is taken to another website impersonating McDonald's, mac-delivery-sau-50-deal[.]top. At the time of writing, the site was inactive.
Also Read Cloudflare Pages Misused in a Phishing Campaign Against Indian Banking Customers

Further Investigation


Using Passive DNS and reverse IP lookups, CloudSEK’s Researchers discovered similar domains hosted on the servers that were used by the site impersonating KFC: sa[.]kfc-deliver[.]site. [caption id="attachment_20887" align="aligncenter" width="999"]DNS Information for kfc-deliver[.]site DNS Information for kfc-deliver[.]site[/caption]


  • Using Passive DNS information for the site: mac-delivery-sau-50-deal[.]top, CloudSEK’s researchers discovered that the phishing website was active around July 2021.
  • The following domains impersonating McDonald’s were discovered that were hosted on the same web server during the same time period.
mcdelivery-hkg[.]top mcdelivery-sale[.]top mcdelivery-ae-sale[.]top
mcdelivery-isr[.]top mcdelivery-ae-com[.]top sau-mcdelivery[.]top
isr-mcdelivery[.]top mcdelivery-sau[.]top mcdelivery-ch[.]top
mcdelivery-sau-deal[.]top mac-delivery-sau[.]top mcdelivery-deu[.]top
mac-delivery-sau-50-deal[.]top mc-delivery-deal[.]top mcdelivery-ae-deal[.]top
mac-delivery-sau-deal[.]top mac-delivery-com[.]top mcdelivery-ae[.]top
mac-delivery-sale[.]top mac-delivery-ads-sale[.]top

Impact & Mitigation

Impact Mitigation
  • Compromised payment card information can lead to financial loss.
  • Data collected can be sold on the dark web for monetary gain.
  • Loss of revenue and reputation of the brands being impersonated.
  • The PII and card detail shared by the victims can be exploited to conduct:
    • Social engineering attacks
    • Banking frauds
    • Identity thefts
  • Users should be vigilant while visiting sites and submitting their PII and banking information.
  • Identify and report domains impersonating brand names and trademarks.
  • Create an inclusive awareness campaign to educate customers about the organization’s processes.
  • Create awareness among customers regarding malicious URLs.



[caption id="attachment_20888" align="alignnone" width="1372"]Google Play Store displaying an app named KFC Saudi Arabia 4+ Google Play Store displaying an app named KFC Saudi Arabia 4+[/caption]   [caption id="attachment_20889" align="alignnone" width="1240"]KFC Saudi Arabia 4+ application installed in Chrome Browser KFC Saudi Arabia 4+ application installed in Chrome Browser[/caption]   [caption id="attachment_20890" align="alignnone" width="1082"]Site being detected by Google Safe Browsing as a phishing site Site being detected by Google Safe Browsing as a phishing site[/caption]   [caption id="attachment_20891" align="alignnone" width="1051"]Kfc-singapore[.]fun site providing address suggestions using Google Maps API Kfc-singapore[.]fun site providing address suggestions using Google Maps API[/caption]  [caption id="attachment_20892" align="alignnone" width="1032"]Kfc-singapore[.]fun site only accepting valid payment card details Kfc-singapore[.]fun site only accepting valid payment card details[/caption]  [caption id="attachment_20893" align="alignnone" width="632"]OTP confirmation message on the kfc-singapore[.]fun site OTP confirmation message on the kfc-singapore[.]fun site[/caption]   

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations