The brand logo of CyberHeals.
Articles related to cybersecurity
Case Studies
Use cases related to Products & Services

UAE Phishing Attacks

Mar 27 2024
3 Mins Read

Cyber Heals Identifies an Ongoing Phishing Campaign: From Al Baik to KFC, a Russian-Based Threat Actor Continues Its Deceptive Practices

A highly sophisticated and targeted phishing campaign has been uncovered, orchestrated by a Russian- based threat actor with the primary objective of acquiring credit card details from individuals in the United Arab Emirates (UAE). Following the recent discovery of a targeted phishing campaign aimed at acquiring credit card details from UAE citizens and residents by impersonating the renowned chicken restaurant chain Al Baik, Cyber Heals has now identified yet another highly sophisticated phishing attack, this time impersonating KFC.

This threat actor is not only collecting credit card details through these deceptive tactics but is also known to sell this sensitive information on the dark web, further escalating the risk and potential harm to individuals

Utilizing Youtube ads as click bait, the threat actor entices users with attractive offers associated with KFC, a renowned chicken restaurant chain. Before that the Threat Actor tried the same with Al Baik, a renowned chicken restaurant chain originating from Saudi Arabia but with branches in the UAE. Once users click on the ad, they are redirected to a subdomain hosted on






While the websites are secured with HTTPS using a Let's Encrypt certificate, it is crucial to understand that this alone does not guarantee its authenticity.



The threat actor has skillfully crafted a fake payment gateway page at https[:]//albaik[.]drunkgnomes[.]com/payment[.]php#, https[:]//[.]php?payment_id=0112e27c612702a b3f1859d1f3edea8e7980fe2b5c88c31455c64c845d74f0ad with the intention of deceiving users into providing their credit card information.


The fraudulent payment gateway page convincingly replicates a legitimate payment page, employing logos such as PCI DSS and secure pay to create an illusion of a secure transaction process. However, intercepting the traffic reveals that the card details, including the card number, expiry date, CVV, and cardholder name, are transmitted in plain text, exposing them to potential unauthorized access by the threat actor.

Further analysis of the payment gateway page's code confirms meticulous design by the threat actor, aimed at luring unsuspecting users. This campaign underscores the evolving tactics employed by threat actors who now exploit digital ads as weapons in their phishing endeavors.

Through our comprehensive threat intelligence analysis, we conducted a thorough assessment of the domain and IP address reputation. The esteemed organization Spamhaus has identified the albaik[.]drunkgnomes[.]com domain as malicious, while only one vendor on VirusTotal has flagged it as such. But the new KFC Impersonation domain is not flagged as malicious as it is new.

Img: Virus Total Detection on KFC


Al Baik has already responded to the recent phishing campaign by issuing an official statement, urging users to be cautious. However, the Threat Actor has since shifted focus to KFC. This ongoing situation emphasizes the crucial need for all UAE internet users to stay alert and vigilant. Cyber Heals, a respected cybersecurity firm, emphasizes the importance of awareness and encourages users to actively take steps to protect their personal and financial data.

In the constantly evolving world of digital technology, threat actors are relentless in honing their deceptive tactics. It's vital that we all recognize the significance of staying informed and embracing solid security practices. Through collective vigilance and a forward-thinking approach to cybersecurity, we can work together to protect UAE's internet users from becoming the next victims of these malicious phishing campaign.



Copyright © 2024 Cyberheals Infotech Pvt ltd | All rights reserved.