- Microsoft warns of a new phishing campaign impersonating Booking.com
- It is targeting businesses in the hospitality industry
- The goal is to deploy infostealers and trojans
Hotels, resorts, and other businesses in the hospitality industry, are being targeted with a sophisticated ClickFix phishing campaign that impersonates Booking.com.
A new report from Microsoft Threat Intelligence claims that the phishing campaign is “rapidly evolving,” and targeting businesses worldwide.
The goal of the campaign is to steal people’s payment and personal data, which could lead to wire fraud, and reputational harm for victim organizations.
Storm-1865
First, the attackers create a Booking.com-themed notification email, discussing things like guest reviews, or account verifications. Businesses that don’t spot the scam are then redirected to a fake CAPTCHA puzzle, and if they solve it, are prompted with an error message. That fake error message also comes with a solution, which includes copying a command, and pasting/running it in the Run program.
Instead of fixing the problem, running the program downloads one of multiple malware strains being used in this campaign: XWorm, Lumma Stealer, or VenomRAT. These are different types of malware with different features.
While VenomRAT, for example, is a remote access trojan that grants attackers unabated access to victim devices, Lumma is an infostealer that grabs login credentials and other secrets stored in the web browser, and elsewhere on the device.
Microsoft attributed the campaign to a threat actor it tracks as Storm-1865, a group with no previous record. The campaign apparently started in December 2024, and there is no information on how many companies – if any – fell prey to it.
ClickFix fraud has gotten more popular lately, and TechRadar Pro has reported on it on numerous occasions this year already. It is an evolution of the old “IT technician” scam, in which a victim is served a popup impersonating a reputable company saying their computer is broken/infected.
The popup shares a phone number that the victim can call, to talk to an IT technician and sort the problem out. The “technician” ends up installing malware.
While phone scams are still very much alive, the ClickFix campaign focuses mostly on the victim doing most of the work, installing the malware through a less-obvious process (pasting a command in Run).
Leave a comment