Microsoft warns about a new phishing campaign impersonating Booking.com

News
By published

A ClickFix phishing campaign tricks people into downloading RATs and infostealers.

Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
(Image credit: Shutterstock / janews)
  • Microsoft warns of a new phishing campaign impersonating Booking.com
  • It is targeting businesses in the hospitality industry
  • The goal is to deploy infostealers and trojans

Hotels, resorts, and other businesses in the hospitality industry, are being targeted with a sophisticated ClickFix phishing campaign that impersonates Booking.com.

A new report from Microsoft Threat Intelligence claims that the phishing campaign is “rapidly evolving,” and targeting businesses worldwide.

The goal of the campaign is to steal people’s payment and personal data, which could lead to wire fraud, and reputational harm for victim organizations.

Storm-1865

First, the attackers create a Booking.com-themed notification email, discussing things like guest reviews, or account verifications. Businesses that don’t spot the scam are then redirected to a fake CAPTCHA puzzle, and if they solve it, are prompted with an error message. That fake error message also comes with a solution, which includes copying a command, and pasting/running it in the Run program.

Instead of fixing the problem, running the program downloads one of multiple malware strains being used in this campaign: XWorm, Lumma Stealer, or VenomRAT. These are different types of malware with different features.

While VenomRAT, for example, is a remote access trojan that grants attackers unabated access to victim devices, Lumma is an infostealer that grabs login credentials and other secrets stored in the web browser, and elsewhere on the device.

Microsoft attributed the campaign to a threat actor it tracks as Storm-1865, a group with no previous record. The campaign apparently started in December 2024, and there is no information on how many companies - if any - fell prey to it.

ClickFix fraud has gotten more popular lately, and TechRadar Pro has reported on it on numerous occasions this year already. It is an evolution of the old “IT technician” scam, in which a victim is served a popup impersonating a reputable company saying their computer is broken/infected.

The popup shares a phone number that the victim can call, to talk to an IT technician and sort the problem out. The “technician” ends up installing malware.

While phone scams are still very much alive, the ClickFix campaign focuses mostly on the victim doing most of the work, installing the malware through a less-obvious process (pasting a command in Run).

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
A pair of hands using a keyboard
Microsoft SharePoint hijacked to spread Havoc malware
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft authentication system spoofed via phishing attack
Hook on Keyboard
Fake DocuSign and HubSpot phishing emails target 20,000 Microsoft Azure accounts
Someone checking their credit card details online.
Hackers use CAPTCHA scam in PDF files on Webflow CDN to get past security systems
Hacker Typing
This devious two-step phishing campaign uses Microsoft tools to bypass email security
linkedin
Watch out - that LinkedIn email could be a fake, laden with malware
Latest in Security
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Data leak
Hacked Tata Technologies data leaked by ransomware gang
A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.
Thousands of iOS apps found to expose user data and leak Stripe keys
China
Chinese hackers targeting Juniper Networks routers, so patch now
Google Chrome dark mode
Google updates Chrome extension rules to ban affiliate link injection without user action or benefit
Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
Latest in News
UK Prime Minister Sir Kier Starmer
UK PM says AI should soon replace civil servants
Xbox Copilot in Minecraft
Microsoft confirms Copilot can be tested by Xbox Insiders next month and shares new details about how the AI sidekick will enhance the player experience: 'It has to be about gameplay, it has to be personalized to you'
Eight Samsung TVs mounted to the wall showing different basketball games
Samsung is offering you 8 new TVs in one bundle for March Madness, in case you want to watch all games at once like a Bond villain’s lair
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
The Steam Logo on a mobile phone in front of a wall of games.
Today’s Steam Spring Sale features my absolute favorite game of all time - here's when the sale starts and all the key info
Apple iPhone 16 Pro Max REVIEW
The latest iPhone 17 Pro Max leak may have given us another look at its upcoming redesign
More about security
A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.

Thousands of iOS apps found to expose user data and leak Stripe keys
Data leak

Hacked Tata Technologies data leaked by ransomware gang
Xbox Copilot in Minecraft

Microsoft confirms Copilot can be tested by Xbox Insiders next month and shares new details about how the AI sidekick will enhance the player experience: 'It has to be about gameplay, it has to be personalized to you'
See more latest
Most Popular
Xbox Copilot in Minecraft
Microsoft confirms Copilot can be tested by Xbox Insiders next month and shares new details about how the AI sidekick will enhance the player experience: 'It has to be about gameplay, it has to be personalized to you'
Dune Awakening screenshot showing the exploration of The O'odham
Latest Dune Awakening trailer provides a deeper look at open-world exploration on the planet Arrakis
close-up of soundbar mesh with Sonos branding
Sonos reportedly cancels its streaming video player, but I hope it resurrects one part of it, because it could be huge
A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.
Thousands of iOS apps found to expose user data and leak Stripe keys
Emily takes a selfie in front of her apartment window in Rome in Emily in Paris
Emily in Paris season 5: everything we know so far about the hit Netflix show’s return
Eight Samsung TVs mounted to the wall showing different basketball games
Samsung is offering you 8 new TVs in one bundle for March Madness, in case you want to watch all games at once like a Bond villain’s lair
UK Prime Minister Sir Kier Starmer
UK PM says AI should soon replace civil servants
Best Google Chromecast Apps
Following recent problems, Chromecasts are getting a free update to Android 14 – here's what that means
The Steam Logo on a mobile phone in front of a wall of games.
Today’s Steam Spring Sale features my absolute favorite game of all time - here's when the sale starts and all the key info
Half-Life running on a smartwatch
This Redditor installed a game engine on their smartwatch, and now it runs Doom, Quake, and Half-Life