- Microsoft warns of a new phishing campaign impersonating Booking.com
- It is targeting businesses in the hospitality industry
- The goal is to deploy infostealers and trojans
Hotels, resorts, and other businesses in the hospitality industry, are being targeted with a sophisticated ClickFix phishing campaign that impersonates Booking.com.
A new report from Microsoft Threat Intelligence claims that the phishing campaign is “rapidly evolving,” and targeting businesses worldwide.
The goal of the campaign is to steal people’s payment and personal data, which could lead to wire fraud, and reputational harm for victim organizations.
Storm-1865
First, the attackers create a Booking.com-themed notification email, discussing things like guest reviews, or account verifications. Businesses that don’t spot the scam are then redirected to a fake CAPTCHA puzzle, and if they solve it, are prompted with an error message. That fake error message also comes with a solution, which includes copying a command, and pasting/running it in the Run program.
Instead of fixing the problem, running the program downloads one of multiple malware strains being used in this campaign: XWorm, Lumma Stealer, or VenomRAT. These are different types of malware with different features.
While VenomRAT, for example, is a remote access trojan that grants attackers unabated access to victim devices, Lumma is an infostealer that grabs login credentials and other secrets stored in the web browser, and elsewhere on the device.
Microsoft attributed the campaign to a threat actor it tracks as Storm-1865, a group with no previous record. The campaign apparently started in December 2024, and there is no information on how many companies - if any - fell prey to it.
ClickFix fraud has gotten more popular lately, and TechRadar Pro has reported on it on numerous occasions this year already. It is an evolution of the old “IT technician” scam, in which a victim is served a popup impersonating a reputable company saying their computer is broken/infected.
The popup shares a phone number that the victim can call, to talk to an IT technician and sort the problem out. The “technician” ends up installing malware.
While phone scams are still very much alive, the ClickFix campaign focuses mostly on the victim doing most of the work, installing the malware through a less-obvious process (pasting a command in Run).
Edit, March 17 - After the news was published, Booking.com reached out to confirm that its systems were not breached, and to say that only a tiny fraction of its users were affected:
"The actual numbers of accommodations affected by this scam are a small fraction of those on our platform and we continue to make significant investments to limit the impact on our customers and partners. We are also committed to proactively helping our accommodation partners and customers to stay protected. A lot of this is via education, informing our partners of the types of scams we are seeing while arming our customers with practical advice that they can apply as they search for and manage their holiday bookings," the company said.
"Should a customer have any concern about a payment message, we ask them to carefully check the payment policy details on their booking confirmation to be sure that the message is legitimate. Customers are also encouraged to report any suspicious messages to our 24/7 customer service team or by clicking on ‘report an issue’ which is included in the chat function. It is important to note that we would never ask a customer to share payment information via email, chat messages, text messages or phone."
You might also like
- Microsoft SharePoint hijacked to spread Havoc malware
- We've rounded up the best password managers
- Take a look at our guide to the best authenticator app
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.