kfcdelivery.co.nz ongoing scam

Nathan Ward

17 Oct 2015 17 Oct '15

12:01 p.m.

All, You might’ve seen ‘kfcdelivery.co http://kfcdelivery.co/.nz’ pop up on social media today. It’s a scam. If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card. It is hosted through CloudFlare, don’t block the IPs, but perhaps you can filter on your DNS or something. I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don’t know anyone there. The logic of the site is roughly: <snip> # Validate input and set error if validation fails if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" } # send data to servers anyway </snip> -- Nathan Ward

Attachments:

attachment.htm (text/html — 4.4 KB)

Show replies by date

Ray Taylor

17 Oct 17 Oct

12:33 p.m.

It sounds like a good idea – Restaurant brands could have a separate company with a depot in each town where the staff deliver for KFC, Starbucks, Carls Jr and Pizza Hut Ray Taylor Taylor Communications ray(a)ruralkiwi.com Napier: 06-929-9082 Waipukurau: 06-928-0549 Description: header_logo From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Nathan Ward Sent: Sunday, 18 October 2015 7:02 p.m. To: nznog Subject: [nznog] kfcdelivery.co.nz ongoing scam All, You might’ve seen ‘kfcdelivery.co.nz’ pop up on social media today. It’s a scam. If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card. It is hosted through CloudFlare, don’t block the IPs, but perhaps you can filter on your DNS or something. I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don’t know anyone there. The logic of the site is roughly: <snip> # Validate input and set error if validation fails if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" } # send data to servers anyway </snip> -- Nathan Ward

Nathan Ward

12:40 p.m.

Sure, and they used to do delivery years ago. People want it, which is why this is working so well - I expect there’ll have been several thousand CC numbers go in to this form today. Police are telling me that KFC have submitted something to the registrar to get the domain pulled, it that could take days for them to get around to that email. Their e-crimes guys aren’t working today apparently so there’s not much they can do to follow up and try nab whoever’s doing this before it gets pulled and they disappear. I’ve contacted Cloudflare through their abuse site, and through some direct contacts, so we’ll see what comes of that.. I’m sure there’s plenty of hungover people who just want some KFC who’re going to have the headache extended when they find out their CC info has been popped. -- Nathan Ward

...

On 18/10/2015, at 19:33, Ray Taylor wrote:

It sounds like a good idea – Restaurant brands could have a separate company with a depot in each town where the staff deliver for KFC, Starbucks, Carls Jr and Pizza Hut

Ray Taylor Taylor Communications ray(a)ruralkiwi.com mailto:ray(a)ruralkiwi.com

Napier: 06-929-9082 Waipukurau: 06-928-0549

From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Nathan Ward Sent: Sunday, 18 October 2015 7:02 p.m. To: nznog Subject: [nznog] kfcdelivery.co.nz ongoing scam

All,

You might’ve seen ‘kfcdelivery.co http://kfcdelivery.co/.nz’ pop up on social media today. It’s a scam.

If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card.

It is hosted through CloudFlare, don’t block the IPs, but perhaps you can filter on your DNS or something.

I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don’t know anyone there.

The logic of the site is roughly: <snip> # Validate input and set error if validation fails

if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" }

# send data to servers anyway </snip>

-- Nathan Ward

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz mailto:NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog http://list.waikato.ac.nz/mailman/listinfo/nznog

Neil Gardner

12:54 p.m.

We've killed the site for spark users. Cheers N Sent from my mobile device. Please excuse brevity and any autocorrect issues. From: Nathan Ward Sent: 18/10/2015 7:40 pm To: Ray Taylor Cc: nznog Subject: Re: [nznog] kfcdelivery.co.nz ongoing scam Sure, and they used to do delivery years ago. People want it, which is why this is working so well - I expect there'll have been several thousand CC numbers go in to this form today. Police are telling me that KFC have submitted something to the registrar to get the domain pulled, it that could take days for them to get around to that email. Their e-crimes guys aren't working today apparently so there's not much they can do to follow up and try nab whoever's doing this before it gets pulled and they disappear. I've contacted Cloudflare through their abuse site, and through some direct contacts, so we'll see what comes of that.. I'm sure there's plenty of hungover people who just want some KFC who're going to have the headache extended when they find out their CC info has been popped. -- Nathan Ward On 18/10/2015, at 19:33, Ray Taylor mailto:ray(a)ruralkiwi.com> wrote: It sounds like a good idea - Restaurant brands could have a separate company with a depot in each town where the staff deliver for KFC, Starbucks, Carls Jr and Pizza Hut Ray Taylor Taylor Communications ray(a)ruralkiwi.commailto:ray(a)ruralkiwi.com Napier: 06-929-9082 Waipukurau: 06-928-0549 From: nznog-bounces(a)list.waikato.ac.nzmailto:nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Nathan Ward Sent: Sunday, 18 October 2015 7:02 p.m. To: nznog Subject: [nznog] kfcdelivery.co.nzhttp://kfcdelivery.co.nz ongoing scam All, You might've seen 'kfcdelivery.cohttp://kfcdelivery.co/.nz' pop up on social media today. It's a scam. If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card. It is hosted through CloudFlare, don't block the IPs, but perhaps you can filter on your DNS or something. I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don't know anyone there. The logic of the site is roughly: <snip> # Validate input and set error if validation fails if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" } # send data to servers anyway </snip> -- Nathan Ward _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nzmailto:NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Dan Wallis

18 Oct 18 Oct

1:39 a.m.

I've contacted the registrar. They killed this yesterday. Le 18 oct. 2015 19:55, "Neil Gardner" a écrit :

...

We've killed the site for spark users.

Cheers N

Sent from my mobile device. Please excuse brevity and any autocorrect issues.

*From:* Nathan Ward *Sent:* 18/10/2015 7:40 pm *To:* Ray Taylor *Cc:* nznog *Subject:* Re: [nznog] kfcdelivery.co.nz ongoing scam

Sure, and they used to do delivery years ago. People want it, which is why this is working so well - I expect there’ll have been several thousand CC numbers go in to this form today.

Police are telling me that KFC have submitted something to the registrar to get the domain pulled, it that could take days for them to get around to that email. Their e-crimes guys aren’t working today apparently so there’s not much they can do to follow up and try nab whoever’s doing this before it gets pulled and they disappear.

I’ve contacted Cloudflare through their abuse site, and through some direct contacts, so we’ll see what comes of that.. I’m sure there’s plenty of hungover people who just want some KFC who’re going to have the headache extended when they find out their CC info has been popped.

-- Nathan Ward

On 18/10/2015, at 19:33, Ray Taylor wrote:

It sounds like a good idea – Restaurant brands could have a separate company with a depot in each town where the staff deliver for KFC, Starbucks, Carls Jr and Pizza Hut

Ray Taylor Taylor Communications ray(a)ruralkiwi.com

Napier: 06-929-9082 Waipukurau: 06-928-0549

*From:* nznog-bounces(a)list.waikato.ac.nz [ mailto:nznog-bounces(a)list.waikato.ac.nz ] *On Behalf Of *Nathan Ward *Sent:* Sunday, 18 October 2015 7:02 p.m. *To:* nznog *Subject:* [nznog] kfcdelivery.co.nz ongoing scam

All,

You might’ve seen ‘kfcdelivery.co.nz’ pop up on social media today. It’s a scam.

If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card.

It is hosted through CloudFlare, don’t block the IPs, but perhaps you can filter on your DNS or something.

I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don’t know anyone there.

The logic of the site is roughly: <snip> # Validate input and set error if validation fails

if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" }

# send data to servers anyway </snip>

-- Nathan Ward

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Mauricio Freitas

2:45 a.m.

Still alive in other networks though but now Chrome warns it's a phishing site. Cheers Mauricio Freitas http://about.me/freitasm ________________________________ From: nznog-bounces(a)list.waikato.ac.nz on behalf of Dan Wallis Sent: Monday, October 19, 2015 08:39 To: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] kfcdelivery.co.nz ongoing scam I've contacted the registrar. They killed this yesterday. Le 18 oct. 2015 19:55, "Neil Gardner" mailto:Neil.Gardner(a)spark.co.nz> a écrit : We've killed the site for spark users. Cheers N Sent from my mobile device. Please excuse brevity and any autocorrect issues. From: Nathan Ward mailto:nznog(a)daork.net> Sent: 18/10/2015 7:40 pm To: Ray Taylor Cc: nznog Subject: Re: [nznog] kfcdelivery.co.nzhttp://kfcdelivery.co.nz ongoing scam Sure, and they used to do delivery years ago. People want it, which is why this is working so well - I expect there'll have been several thousand CC numbers go in to this form today. Police are telling me that KFC have submitted something to the registrar to get the domain pulled, it that could take days for them to get around to that email. Their e-crimes guys aren't working today apparently so there's not much they can do to follow up and try nab whoever's doing this before it gets pulled and they disappear. I've contacted Cloudflare through their abuse site, and through some direct contacts, so we'll see what comes of that.. I'm sure there's plenty of hungover people who just want some KFC who're going to have the headache extended when they find out their CC info has been popped. -- Nathan Ward On 18/10/2015, at 19:33, Ray Taylor mailto:ray(a)ruralkiwi.com> wrote: It sounds like a good idea - Restaurant brands could have a separate company with a depot in each town where the staff deliver for KFC, Starbucks, Carls Jr and Pizza Hut Ray Taylor Taylor Communications ray(a)ruralkiwi.commailto:ray(a)ruralkiwi.com Napier: 06-929-9082tel:06-929-9082 Waipukurau: 06-928-0549tel:06-928-0549 From: nznog-bounces(a)list.waikato.ac.nzmailto:nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Nathan Ward Sent: Sunday, 18 October 2015 7:02 p.m. To: nznog Subject: [nznog] kfcdelivery.co.nzhttp://kfcdelivery.co.nz ongoing scam All, You might've seen 'kfcdelivery.cohttp://kfcdelivery.co/.nz' pop up on social media today. It's a scam. If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card. It is hosted through CloudFlare, don't block the IPs, but perhaps you can filter on your DNS or something. I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don't know anyone there. The logic of the site is roughly: <snip> # Validate input and set error if validation fails if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" } # send data to servers anyway </snip> -- Nathan Ward _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nzmailto:NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nzmailto:NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

David Mitchell

2:48 a.m.

As does Firefox Cheers David From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Mauricio Freitas Sent: Monday, 19 October 2015 9:46 a.m. To: Dan Wallis ; nznog(a)list.waikato.ac.nz Subject: Re: [nznog] kfcdelivery.co.nz ongoing scam Still alive in other networks though but now Chrome warns it's a phishing site. Cheers Mauricio Freitas http://about.me/freitasm ________________________________ From: nznog-bounces(a)list.waikato.ac.nzmailto:nznog-bounces(a)list.waikato.ac.nz mailto:nznog-bounces(a)list.waikato.ac.nz> on behalf of Dan Wallis mailto:mrdanwallis(a)gmail.com> Sent: Monday, October 19, 2015 08:39 To: nznog(a)list.waikato.ac.nzmailto:nznog(a)list.waikato.ac.nz Subject: Re: [nznog] kfcdelivery.co.nz ongoing scam I've contacted the registrar. They killed this yesterday. Le 18 oct. 2015 19:55, "Neil Gardner" mailto:Neil.Gardner(a)spark.co.nz> a écrit : We've killed the site for spark users. Cheers N Sent from my mobile device. Please excuse brevity and any autocorrect issues. From: Nathan Ward mailto:nznog(a)daork.net> Sent: 18/10/2015 7:40 pm To: Ray Taylor Cc: nznog Subject: Re: [nznog] kfcdelivery.co.nzhttp://kfcdelivery.co.nz ongoing scam Sure, and they used to do delivery years ago. People want it, which is why this is working so well - I expect there'll have been several thousand CC numbers go in to this form today. Police are telling me that KFC have submitted something to the registrar to get the domain pulled, it that could take days for them to get around to that email. Their e-crimes guys aren't working today apparently so there's not much they can do to follow up and try nab whoever's doing this before it gets pulled and they disappear. I've contacted Cloudflare through their abuse site, and through some direct contacts, so we'll see what comes of that.. I'm sure there's plenty of hungover people who just want some KFC who're going to have the headache extended when they find out their CC info has been popped. -- Nathan Ward On 18/10/2015, at 19:33, Ray Taylor mailto:ray(a)ruralkiwi.com> wrote: It sounds like a good idea - Restaurant brands could have a separate company with a depot in each town where the staff deliver for KFC, Starbucks, Carls Jr and Pizza Hut Ray Taylor Taylor Communications ray(a)ruralkiwi.commailto:ray(a)ruralkiwi.com Napier: 06-929-9082tel:06-929-9082 Waipukurau: 06-928-0549tel:06-928-0549 From: nznog-bounces(a)list.waikato.ac.nzmailto:nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Nathan Ward Sent: Sunday, 18 October 2015 7:02 p.m. To: nznog Subject: [nznog] kfcdelivery.co.nzhttp://kfcdelivery.co.nz ongoing scam All, You might've seen 'kfcdelivery.cohttp://kfcdelivery.co/.nz' pop up on social media today. It's a scam. If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card. It is hosted through CloudFlare, don't block the IPs, but perhaps you can filter on your DNS or something. I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don't know anyone there. The logic of the site is roughly: <snip> # Validate input and set error if validation fails if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" } # send data to servers anyway </snip> -- Nathan Ward _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nzmailto:NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nzmailto:NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Nathan Ward

3:24 a.m.

The warning is from Cloudflare, none of the browsers I have generate a warning themselves - but if cloudflare have it that’s good enough :-) -- Nathan Ward

...

On 19/10/2015, at 09:48, David Mitchell wrote:

As does Firefox

Cheers

David

From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Mauricio Freitas Sent: Monday, 19 October 2015 9:46 a.m. To: Dan Wallis ; nznog(a)list.waikato.ac.nz Subject: Re: [nznog] kfcdelivery.co.nz ongoing scam

Still alive in other networks though but now Chrome warns it's a phishing site.

Cheers

Mauricio Freitas http://about.me/freitasm http://about.me/freitasm

From: nznog-bounces(a)list.waikato.ac.nz mailto:nznog-bounces(a)list.waikato.ac.nz mailto:nznog-bounces(a)list.waikato.ac.nz> on behalf of Dan Wallis mailto:mrdanwallis(a)gmail.com> Sent: Monday, October 19, 2015 08:39 To: nznog(a)list.waikato.ac.nz mailto:nznog(a)list.waikato.ac.nz Subject: Re: [nznog] kfcdelivery.co.nz ongoing scam

I've contacted the registrar. They killed this yesterday. Le 18 oct. 2015 19:55, "Neil Gardner" mailto:Neil.Gardner(a)spark.co.nz> a écrit : We've killed the site for spark users.

Cheers N

Sent from my mobile device. Please excuse brevity and any autocorrect issues.

From: Nathan Ward mailto:nznog(a)daork.net> Sent: 18/10/2015 7:40 pm To: Ray Taylor Cc: nznog Subject: Re: [nznog] kfcdelivery.co.nz http://kfcdelivery.co.nz/ ongoing scam

Sure, and they used to do delivery years ago. People want it, which is why this is working so well - I expect there’ll have been several thousand CC numbers go in to this form today.

Police are telling me that KFC have submitted something to the registrar to get the domain pulled, it that could take days for them to get around to that email. Their e-crimes guys aren’t working today apparently so there’s not much they can do to follow up and try nab whoever’s doing this before it gets pulled and they disappear.

I’ve contacted Cloudflare through their abuse site, and through some direct contacts, so we’ll see what comes of that.. I’m sure there’s plenty of hungover people who just want some KFC who’re going to have the headache extended when they find out their CC info has been popped.

-- Nathan Ward

On 18/10/2015, at 19:33, Ray Taylor mailto:ray(a)ruralkiwi.com> wrote:

It sounds like a good idea – Restaurant brands could have a separate company with a depot in each town where the staff deliver for KFC, Starbucks, Carls Jr and Pizza Hut

Ray Taylor Taylor Communications ray(a)ruralkiwi.com mailto:ray(a)ruralkiwi.com

Napier: 06-929-9082 tel:06-929-9082 Waipukurau: 06-928-0549 tel:06-928-0549

From: nznog-bounces(a)list.waikato.ac.nz mailto:nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Nathan Ward Sent: Sunday, 18 October 2015 7:02 p.m. To: nznog Subject: [nznog] kfcdelivery.co.nz http://kfcdelivery.co.nz/ ongoing scam

All,

You might’ve seen ‘kfcdelivery.co http://kfcdelivery.co/.nz’ pop up on social media today. It’s a scam.

If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card.

It is hosted through CloudFlare, don’t block the IPs, but perhaps you can filter on your DNS or something.

I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don’t know anyone there.

The logic of the site is roughly: <snip> # Validate input and set error if validation fails

if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" }

# send data to servers anyway </snip>

-- Nathan Ward

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz mailto:NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz mailto:NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog http://list.waikato.ac.nz/mailman/listinfo/nznog_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Nathan Ward

4:18 p.m.

New subject: kfcdelivery.co.nz ongoing scam - UPDATE - now under orderkfc.co.nz

Hi all This is back again, this time under “orderkfc.co.nz”. Same deal as last time.. though, anyone know anyone with Crazy Domains? In my experience they’ve been even harder to reach than registrars normally are. -- Nathan Ward

...

On 18/10/2015, at 19:01, Nathan Ward wrote:

All,

You might’ve seen ‘kfcdelivery.co http://kfcdelivery.co/.nz’ pop up on social media today. It’s a scam.

If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card.

It is hosted through CloudFlare, don’t block the IPs, but perhaps you can filter on your DNS or something.

I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don’t know anyone there.

The logic of the site is roughly: <snip> # Validate input and set error if validation fails

if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" }

# send data to servers anyway </snip>

-- Nathan Ward

David Morrison

4:43 p.m.

New subject: kfcdelivery.co.nz ongoing scam - UPDATE - now under orderkfc.co.nz

Hi Nathan, We (NZRS) have reached out to contacts at Crazy Domains and pointed them to this list and the raised issue. Kind regards David David Morrison Chief Marketing Officer NZRS Ltd P +64 49316973 M +64 274366182 F +64 49316979 E david(a)nzrs.net.nz W www.nzrs.net.nz S david.morrisonnz T @dotnz PGP 7A38 2F84 C7DF 8FF2 34F8 B4F2 BC54 10AE 2501 6600

...

On 19/10/2015, at 11:18 pm, Nathan Ward wrote:

Hi all

This is back again, this time under “orderkfc.co.nz http://orderkfc.co.nz/”.

Same deal as last time.. though, anyone know anyone with Crazy Domains? In my experience they’ve been even harder to reach than registrars normally are.

-- Nathan Ward

...
On 18/10/2015, at 19:01, Nathan Ward mailto:nznog(a)daork.net> wrote:

All,

You might’ve seen ‘kfcdelivery.co http://kfcdelivery.co/.nz’ pop up on social media today. It’s a scam.

If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card.

It is hosted through CloudFlare, don’t block the IPs, but perhaps you can filter on your DNS or something.

I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don’t know anyone there.

The logic of the site is roughly: <snip> # Validate input and set error if validation fails

if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" }

# send data to servers anyway </snip>

-- Nathan Ward

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Nathan Ward

5:55 p.m.

New subject: kfcdelivery.co.nz ongoing scam - UPDATE - now under orderkfc.co.nz

Hi, Yeah I managed to get through to Crazy Domains support which surprised me, and they have flagged it to their operations folks as well. It looks like they have yet to take action, over an hour later - the whois still shows the CloudFlare NSes. Unfortunately, even when this is pulled, this will stay in the DNS for up to 24 hours if it’s already in your cache. Once it’s removed (perhaps someone can notify here, I’ll do that if I get told that it’s happened before I see info here) I encourage people to flush their recursive DNS caches if possible, and add dummy zones for these things if not. You want to configure your servers to return bad data. Returning REFUSED won’t work in all cases, because hosts fail over to other DNS servers that are configured - I tested this by configuring my server, and 8.8.8.8 as DNS servers on my local machine. Then again, you might find that the number of people who have additional name servers configured that are not on your network is pretty small. Perhaps 127.0.0.1 isn’t best, I’m not sure. Anyway, config for those who want it: Unbound (tested on 1.5.1): local-zone: “orderkfc.co.nz.” static local-data: “www.orderkfc.co.nz. 300 IN A 127.0.0.1” local-data: “orderkfc.co.nz. 300 IN A 127.0.0.1” Bind (tested on 9.8.something): named.conf: zone “orderkfc.co.nz." IN { type master; file “block”; }; Bind zone file ‘block’: @ IN SOA ns1 hostmaster ( 1 7200 120 86400 360 ) IN NS ns1 IN A 127.0.0.1 www IN A 127.0.0.1 -- Nathan Ward

...

On 19/10/2015, at 23:43, David Morrison wrote:

Hi Nathan,

We (NZRS) have reached out to contacts at Crazy Domains and pointed them to this list and the raised issue.

Kind regards

David

David Morrison Chief Marketing Officer NZRS Ltd

P +64 49316973 M +64 274366182 F +64 49316979 E david(a)nzrs.net.nz mailto:david(a)nzrs.net.nz W www.nzrs.net.nz http://www.nzrs.net.nz/ S david.morrisonnz T @dotnz

PGP 7A38 2F84 C7DF 8FF2 34F8 B4F2 BC54 10AE 2501 6600

...
On 19/10/2015, at 11:18 pm, Nathan Ward mailto:nznog(a)daork.net> wrote:

Hi all

This is back again, this time under “orderkfc.co.nz http://orderkfc.co.nz/”.

Same deal as last time.. though, anyone know anyone with Crazy Domains? In my experience they’ve been even harder to reach than registrars normally are.

-- Nathan Ward

...
On 18/10/2015, at 19:01, Nathan Ward mailto:nznog(a)daork.net> wrote:

All,

You might’ve seen ‘kfcdelivery.co http://kfcdelivery.co/.nz’ pop up on social media today. It’s a scam.

If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card.

It is hosted through CloudFlare, don’t block the IPs, but perhaps you can filter on your DNS or something.

I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don’t know anyone there.

The logic of the site is roughly: <snip> # Validate input and set error if validation fails

if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" }

# send data to servers anyway </snip>

-- Nathan Ward

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz mailto:NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

David Morrison

6:15 p.m.

New subject: kfcdelivery.co.nz ongoing scam - UPDATE - now under orderkfc.co.nz

I have just had confirmation that Crazy Domains are changing Name Servers and suspending account now. Regards David Sent from my iPhone

...

On 19/10/2015, at 12:55 PM, Nathan Ward wrote:

Hi,

Yeah I managed to get through to Crazy Domains support which surprised me, and they have flagged it to their operations folks as well. It looks like they have yet to take action, over an hour later - the whois still shows the CloudFlare NSes.

Unfortunately, even when this is pulled, this will stay in the DNS for up to 24 hours if it’s already in your cache. Once it’s removed (perhaps someone can notify here, I’ll do that if I get told that it’s happened before I see info here) I encourage people to flush their recursive DNS caches if possible, and add dummy zones for these things if not.

You want to configure your servers to return bad data. Returning REFUSED won’t work in all cases, because hosts fail over to other DNS servers that are configured - I tested this by configuring my server, and 8.8.8.8 as DNS servers on my local machine. Then again, you might find that the number of people who have additional name servers configured that are not on your network is pretty small.

Perhaps 127.0.0.1 isn’t best, I’m not sure. Anyway, config for those who want it:

Unbound (tested on 1.5.1): local-zone: “orderkfc.co.nz.” static local-data: “www.orderkfc.co.nz. 300 IN A 127.0.0.1” local-data: “orderkfc.co.nz. 300 IN A 127.0.0.1”

Bind (tested on 9.8.something): named.conf: zone “orderkfc.co.nz." IN { type master; file “block”; };

Bind zone file ‘block’: @ IN SOA ns1 hostmaster ( 1 7200 120 86400 360 ) IN NS ns1 IN A 127.0.0.1 www IN A 127.0.0.1

-- Nathan Ward

...
On 19/10/2015, at 23:43, David Morrison wrote:

Hi Nathan,

We (NZRS) have reached out to contacts at Crazy Domains and pointed them to this list and the raised issue.

Kind regards

David

David Morrison Chief Marketing Officer NZRS Ltd

P +64 49316973 M +64 274366182 F +64 49316979 E david(a)nzrs.net.nz W www.nzrs.net.nz S david.morrisonnz T @dotnz

PGP 7A38 2F84 C7DF 8FF2 34F8 B4F2 BC54 10AE 2501 6600

...
On 19/10/2015, at 11:18 pm, Nathan Ward wrote:

Hi all

This is back again, this time under “orderkfc.co.nz”.

Same deal as last time.. though, anyone know anyone with Crazy Domains? In my experience they’ve been even harder to reach than registrars normally are.

-- Nathan Ward

...
On 18/10/2015, at 19:01, Nathan Ward wrote:

All,

You might’ve seen ‘kfcdelivery.co.nz’ pop up on social media today. It’s a scam.

If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card.

It is hosted through CloudFlare, don’t block the IPs, but perhaps you can filter on your DNS or something.

I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don’t know anyone there.

The logic of the site is roughly: <snip> # Validate input and set error if validation fails

if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" }

# send data to servers anyway </snip>

-- Nathan Ward

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Nathan Ward

6:30 p.m.

New subject: kfcdelivery.co.nz ongoing scam - UPDATE - now under orderkfc.co.nz

This has been updated as of about 2 minutes ago. Time to flush caches if you can :-) -- Nathan Ward

...

On 20/10/2015, at 01:15, David Morrison wrote:

I have just had confirmation that Crazy Domains are changing Name Servers and suspending account now.

Regards David

Sent from my iPhone

On 19/10/2015, at 12:55 PM, Nathan Ward mailto:nznog(a)daork.net> wrote:

...
Hi,

Yeah I managed to get through to Crazy Domains support which surprised me, and they have flagged it to their operations folks as well. It looks like they have yet to take action, over an hour later - the whois still shows the CloudFlare NSes.

Unfortunately, even when this is pulled, this will stay in the DNS for up to 24 hours if it’s already in your cache. Once it’s removed (perhaps someone can notify here, I’ll do that if I get told that it’s happened before I see info here) I encourage people to flush their recursive DNS caches if possible, and add dummy zones for these things if not.

You want to configure your servers to return bad data. Returning REFUSED won’t work in all cases, because hosts fail over to other DNS servers that are configured - I tested this by configuring my server, and 8.8.8.8 as DNS servers on my local machine. Then again, you might find that the number of people who have additional name servers configured that are not on your network is pretty small.

Perhaps 127.0.0.1 isn’t best, I’m not sure. Anyway, config for those who want it:

Unbound (tested on 1.5.1): local-zone: “orderkfc.co.nz http://orderkfc.co.nz/.” static local-data: “www.orderkfc.co.nz http://www.orderkfc.co.nz/. 300 IN A 127.0.0.1” local-data: “orderkfc.co.nz http://orderkfc.co.nz/. 300 IN A 127.0.0.1”

Bind (tested on 9.8.something): named.conf: zone “orderkfc.co.nz http://orderkfc.co.nz/." IN { type master; file “block”; };

Bind zone file ‘block’: @ IN SOA ns1 hostmaster ( 1 7200 120 86400 360 ) IN NS ns1 IN A 127.0.0.1 www IN A 127.0.0.1

-- Nathan Ward

...
On 19/10/2015, at 23:43, David Morrison mailto:david(a)nzrs.net.nz> wrote:

Hi Nathan,

We (NZRS) have reached out to contacts at Crazy Domains and pointed them to this list and the raised issue.

Kind regards

David

David Morrison Chief Marketing Officer NZRS Ltd

P +64 49316973 M +64 274366182 F +64 49316979 E david(a)nzrs.net.nz mailto:david(a)nzrs.net.nz W www.nzrs.net.nz http://www.nzrs.net.nz/ S david.morrisonnz T @dotnz

PGP 7A38 2F84 C7DF 8FF2 34F8 B4F2 BC54 10AE 2501 6600

...
On 19/10/2015, at 11:18 pm, Nathan Ward mailto:nznog(a)daork.net> wrote:

Hi all

This is back again, this time under “orderkfc.co.nz http://orderkfc.co.nz/”.

Same deal as last time.. though, anyone know anyone with Crazy Domains? In my experience they’ve been even harder to reach than registrars normally are.

-- Nathan Ward

...
On 18/10/2015, at 19:01, Nathan Ward mailto:nznog(a)daork.net> wrote:

All,

You might’ve seen ‘kfcdelivery.co http://kfcdelivery.co/.nz’ pop up on social media today. It’s a scam.

If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card.

It is hosted through CloudFlare, don’t block the IPs, but perhaps you can filter on your DNS or something.

I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don’t know anyone there.

The logic of the site is roughly: <snip> # Validate input and set error if validation fails

if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" }

# send data to servers anyway </snip>

-- Nathan Ward

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz mailto:NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog http://list.waikato.ac.nz/mailman/listinfo/nznog

Dean Pemberton

19 Oct 19 Oct

5:33 a.m.

Hi All, Wearing my NZITF hat here. We're tracking and co-ordinating a response with a number of parties to this. In short, we're on it. This post isn't to shut people up, but to reassure people that there is an org handling this (seeing as we don't have a CSIRT yet. Watch this space) If you have any more information on this or other similar things then feel free to email info(a)nzitf.org.nz and rest assured that someone with clue will look at it and make sure that something gets done. Regards, Dean Pemberton NZITF Board Member. On Sun, Oct 18, 2015 at 7:01 PM, Nathan Ward wrote:

...

All,

You might’ve seen ‘kfcdelivery.co.nz’ pop up on social media today. It’s a scam.

If you have the ability to block this website so your users cannot reach it, please do so. If you have stuck your CC details in there, cancel your card.

It is hosted through CloudFlare, don’t block the IPs, but perhaps you can filter on your DNS or something.

I have reached out to the registrar for the domain to get it blocked (discount domains). If anyone has a contact there other than support@ to get it pulled ASAP, please use it - I don’t know anyone there.

The logic of the site is roughly: <snip> # Validate input and set error if validation fails

if(error){ "You must fill in the red fields" }else{ "Our servers are down due to heavy traffic, please try again later" }

# send data to servers anyway </snip>

-- Nathan Ward

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

3352

Age (days ago)

3354

Last active (days ago)

List overview

Download

13 comments

8 participants

participants (8)

Dan Wallis
David Mitchell
David Morrison
Dean Pemberton
Mauricio Freitas
Nathan Ward
Neil Gardner
Ray Taylor