Fake Zajil Express page in Arabic detected

Posted byAnti-phishing Leave a comment on Fake Zajil Express page in Arabic detected

These two screenshots show a phishing campaign targeting Arabic‑speaking users, likely in Saudi Arabia (based on the country code, phone number format, and references). The scam impersonates a delivery or courier service (“zaiji-express”) and uses a fake delivery confirmation process to harvest personal information and full card details.

Threat Analysis: Delivery Service Phishing – Recipient Information & Card Data Harvesting

Step 1 – Personal Information Page (First Screenshot)
The victim is asked to “confirm recipient information” by providing:

  • First name and surname
  • Email address
  • Address

Step 2 – Card & Identity Details Page (Second Screenshot)
The victim is then asked for:

  • Postal code
  • Phone number
  • National ID or identity card number
  • Full card number
  • Expiration date (month/year)
  • CVV

A “Confirm” button submits the data.

The goal:
The attacker collects:

  • Personal information (name, address, email, phone) for identity theft
  • National ID number (a critical piece of identity in Saudi Arabia)
  • Full credit/debit card details (number, expiry, CVV) for fraudulent transactions

Red flags to watch for:

  • Suspicious URL: The pages are hosted on a domain that is not the official courier’s website. Legitimate delivery services use their own official domains.
  • Request for national ID and full card details together: No legitimate delivery service needs your national ID and card CVV to complete a delivery.
  • Fake company branding: The footer shows “zaiji-express” with a Saudi address and contact details. These may be fabricated or copied.
  • Unsolicited request: Delivery services do not send links asking for this level of personal and financial information.
  • No tracking number or package details: The victim is not given a way to verify the supposed shipment.

What to do if you encounter this:

  • Do not enter any personal information, national ID, or card details.
  • If you are expecting a delivery, track it directly on the official courier website using your tracking number.
  • If you have already entered card details, contact your bank immediately to block the card.
  • Report the phishing page to the legitimate courier being impersonated and to the relevant authorities.

Protective measures:

  • Never click links in unsolicited delivery messages. Always go directly to the official courier website.
  • Never provide your national ID or card CVV in response to a delivery notification.
  • Check the URL carefully: Look for misspellings, extra words, or unusual top‑level domains.
  • Enable two‑factor authentication on your bank account and email.

Leave a comment

Your email address will not be published. Required fields are marked *