Fast food retailer’s warning after crooks ask for users’ details, including credit cards, on fake website.

Starving but feeling a bit lazy or short of time? Here's a tip: be very careful when ordering food online.

There's a persistent scam going around targeting those of us who like KFC. It's making the rounds via Facebook posts and can be expected to carry on for a while yet.

Like many social engineering scams, this one's dead simple: the crooks ask for users' details, including credit cards, on a website before they get to order the food.

Then they pretend a technical error occurred. While the hungry customer wonders what happened, and maybe even tries ordering again, the user's information is sent to a "carding forum" somewhere in the world - in this case most likely a Southeast Asian country.


There are lots of red flags on the scam site. No SSL/TLS (HTTPS) padlock, an impossible-to-fulfil 15-minute delivery promise, asking for credit card details upfront while obscuring the food, and the rogues ripped off the code from a proper KFC delivery in the Philippines and didn't even change the prices in pesos to New Zealand dollars. Plus KFC doesn't do deliveries in New Zealand.

Nevertheless, I'm told plenty of people have fallen for the scam and possibly had unauthorised charges made against their credit cards.

"If you have tried to order food via the KFC delivery scam site, contact your bank immediately."

The tech community has been very good in dealing with this: one domain,, was blocked by internet providers quickly, and the domain name registrar yanked it fast too. A second domain didn't last long either.

KFC New Zealand stepped in and warned customers on Facebook. "We are not affiliated with this service and it is a scam. We are working on shutting this down," it posted on its Facebook Page. I'm told the New Zealand Internet Task Force is investigating it and similar ones. That's probably all that they can and should do, along with warning people to take care and check, check and check again before handing over credit card details.

There will be many more of these scams because the cost of devising them is low and it's fast work too, with a few quick keystrokes to copy and paste the code. Just how easy it's done is clear from the fact that domain appeared just a few hours after the site disappeared off the internet.

I'd be surprised if it takes more than one single stolen credit card to recoup the costs of setting up the scam, and the thieves are likely to snag hundreds of payment details before the sites are sunk.

I went through the site code with some techie friends trying to work out who was behind the scam but while we found a few indications as to where it might originate, there was nothing concrete pointing to the thieves' identities.


One complicating factor is that the scammers use CloudFlare, which is a great service to protect systems from denial of service and other internet-borne attacks.

However, because CloudFlare uses a technique called reverse proxying and inserts its own robust and high-capacity network between the server from where the traffic originates and the people connecting to it, you can't easily tell where the scammers' machine is.

When you try to trace where the scammer's server is, you end up at CloudFlare's network and no further. CloudFlare's reverse proxy forwards your traffic to the scammers' server, and responds from there to you. It just looks like you're talking directly to the scammers' box, with that extra hop.

Credit to CloudFlare too for quickly flagging the delivery scam sites with a pop-up message to stop users from getting ripped off, but good as the service is, CloudFlare might want to think about having stricter controls over who can use it.

Let's hope the scammers didn't pay CloudFlare with a stolen credit card.