MICROSOFT RECENTLY WARNED of a phishing campaign targeting the hospitality sector, where attackers impersonate Booking.com and use the ClickFix social engineering technique to deliver credential-stealing malware. The tech giant tracks the threat actor, Storm-1865, which has targeted hospitality organizations across North America, Europe, Oceania, and South and Southeast Asia in an ongoing campaign.
The hackers deploy info-stealing malware for financial fraud and theft through fake emails impersonating the agency, Microsoft said in a blog post.
“Starting in December, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry,” Microsoft said. “The campaign uses ClickFix to deliver multiple credential-stealing malware strains to facilitate financial fraud and theft. As of February, the campaign is ongoing.”
Microsoft said the attack specifically targets individuals in hospitality organizations in North America, Oceania, South and Southeast Asia, and Europe who are likely to work with Booking.com.
“The phishing emails claim to be from Booking.com and reference negative reviews, account verification, promotions, or guest requests,” the blog post stated. “They include links or PDFs leading to fake Booking.com sites that use ClickFix to trick users into downloading malware. ClickFix displays an error or verification prompt, instructing users to copy an unseen string, paste it into a Windows terminal, and execute it.”
“Unfortunately, phishing attacks by criminal organizations pose a significant threat to many industries,” Booking.com said, according to SecurityWeek. “While Booking.com’s systems have not been breached, we are aware that some accommodation partners and customers have been impacted by phishing attacks from professional criminals attempting to take over their local computer systems with malware.”
Microsoft noted that Storm-1865 has been active since 2023, targeting hotel guests and e-commerce users with phishing campaigns.
“The number of accommodations affected by this scam is a small fraction of those on our platform, and we continue to make significant investments to limit the impact on our customers and partners,” Booking.com said.
In Storm-1865 attacks observed by Microsoft, victims are prompted to check a box to prove they are human and then press Windows + R, Ctrl + V, and Enter. “Checking the box copies a command to the clipboard, and the key presses open the Windows Run window, paste the command, and execute it,” Microsoft Threat Intelligence found. “The command downloads and runs malware such as XWorm, Lumma, VenomRAT, AsyncRAT, Danabot or NetSupport RA.”
“All these payloads include capabilities to steal financial data and credentials for fraudulent use, which is a hallmark of Storm-1865 activity,” Microsoft said. “The addition of ClickFix to this threat actor’s tactics, techniques, and procedures shows how Storm-1865 is evolving its attack chains to bypass conventional security measures.”
Meanwhile, Booking.com said it is committed to helping partners and customers stay protected.
“We provide ongoing cybersecurity education and resources to our partners to enhance their defenses against such threats,” Booking.com told SecurityWeek.
In 2022, InterContinental Hotels Group franchisees sued the company over a cyberattack that disrupted booking channels, alleging IHG ignored prior breach warnings. The attack affected reservations, customer care centers, and internal systems, including Merlin and the Help Desk.
