CyberSecurity news
Microsoft Threat@Microsoft Security Blog
//
An ongoing phishing campaign impersonating Booking.com is targeting hospitality employees with credential-stealing malware. Microsoft Threat Intelligence has identified the campaign, which began in December 2024 and is ongoing as of February 2025. Cybercriminals are sending malicious emails to employees likely to work with Booking.com, in North America, Oceania, South and Southeast Asia, and Europe, using a social engineering technique called ClickFix to deliver the malware. This campaign aims to conduct financial fraud and theft by compromising employee credentials.
The ClickFix technique involves fake error messages and prompts that instruct users to fix issues by copying and pasting commands, leading to malware downloads. The phishing emails vary in content, referencing negative guest reviews, requests from prospective guests, online promotion opportunities, and account verification to induce clicks. The threat actor, tracked as Storm-1865, has evolved its tactics to bypass security measures.
ImgSrc: www.microsoft.c
References :
- krebsonsecurity.com: Booking.com Phishers May Leave You With Reservations
- Source Asia: Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware
- The DefendOps Diaries: Understanding the ClickFix Phishing Threat to the Hospitality Industry
- The Hacker News: Microsoft Warns of ClickFix Phishing Campaign Targeting Hospitality Sector via Fake Booking[.]com Emails
- : ‘ClickFix’ Phishing Scam Impersonates Booking.com to Target Hospitality
- The Record: Cybercriminals are sending malicious emails to hospitality employees who are likely to work with Booking.com
- bsky.app: Microsoft is warning that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
- The Register - Security: That 'angry guest' email from Booking.com? It's a scam, not a 1-star review
- www.techradar.com: Microsoft warns about a new phishing campaign impersonating Booking.com
- TARNKAPPE.INFO: ClickFix-Phishing: Neue Kampagne richtet sich gegen die Hotellerie
- bsky.app: Microsoft is warning that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
- Virus Bulletin: Microsoft researchers identified a phishing campaign (Storm-1865) that uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft.
- BleepingComputer: Microsoft warns that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
- Email Security - Blog: "ClickFix" Phishing Impersonation Campaign Targets Hospitality Sector
- eSecurity Planet: Phishing Campaign Impersonates Booking.com, Plants Malware
- Security Risk Advisors: 🚩Microsoft Detects Ongoing Phishing Impersonation of Booking.com Using “ClickFix� to Deliver Credential-Stealing Malware
- Blog: Phishing campaign impersonates Booking.com, plants malware
- Davey Winder: Booking.com CAPTCHA attack impacts customers—but systems not breached, a spokesperson has said.
- www.computerworld.com: Description of the ClickFix phishing campaign targeting the hospitality industry via fake Booking.com emails.
- www.cysecurity.news: A phishing campaign impersonates Booking.com, targeting organizations in hospitality, using the ClickFix method to spread credential-stealing malware.
- www.cybersecurity-insiders.com: Malware Impersonating Booking.com Targets Hospitality Sector
- thecyberexpress.com: Microsoft Detects Ongoing Phishing Impersonation of Booking.com Using “ClickFix” to Deliver Credential-Stealing Malware
- securityonline.info: Booking.com Impersonated in Phishing Campaign Delivering Credential-Stealing Malware
- gbhackers.com: Microsoft Threat Intelligence has identified an ongoing phishing campaign that began in December 2024, targeting organizations in the hospitality industry by impersonating the online travel agency Booking.com. The campaign, tracked as Storm-1865, employs a sophisticated social engineering technique called ClickFix to deliver credential-stealing malware designed to conduct financial fraud and theft. This attack specifically targets
- Metacurity: The attackers are impersonating Booking.com to deliver credential-stealing malware.
- Talkback Resources: Storm-1865 Impersonates Booking.com in Phishing Scheme
- Blog: Storm-1865 leverages ‘ClickFix’ technique in new phishing campaign
Classification:
- HashTags: #Phishing #Booking.com #Malware
- Company: Booking.com
- Target: Hospitality Employees
- Product: Booking.com
- Feature: Phishing Campaign
- Type: Hack
- Severity: Major