This sophisticated phishing campaign is believed to have started in December 2024 and lasted until February 2025, targeting people working in the hospitality industry in North America, Southeast Asia, and Europe. The attackers are exploiting employees' relationships with Booking.com, particularly those who frequently open emails from the travel platform.
Microsoft advises hotel staff to carefully check the sender's email address.
According to the latest report from Microsoft, this campaign uses a technique called "ClickFix." Scammers create fake error messages to trick users, encouraging them to perform actions such as copying, pasting, and running commands on their computers, thereby downloading malware. Microsoft warns that "the need for user interaction can help these attacks bypass conventional security measures."
Specifically, users are instructed to use a keyboard shortcut to open the Windows Run window, then paste and run the command provided by the phishing page. Researchers have identified Storm-1865 as the criminal group behind this campaign. This group has carried out numerous other phishing attacks aimed at stealing payment data and conducting fraudulent transactions.
Malicious emails often contain content related to negative customer reviews, account verification requests, or information from potential customers. Most emails include links or PDF attachments leading to a fake CAPTCHA page, where the attacker deploys the ClickFix program. When the victim clicks the link, the malware is downloaded to their device.
Warning about scams involving the installation of public service applications to integrate driver's license points.
Microsoft has detected various types of malware used in these attacks, including XWorm, Lumma Stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT, all of which allow hackers to steal financial information and login credentials.
Booking.com's response
A representative from Booking.com stated that the number of properties affected by this scam was only a small fraction of the total on their platform. The company has invested significantly to mitigate the impact on customers and partners. They affirmed that Booking.com's system was not compromised, but some partners and customers have fallen victim to phishing attacks.
Microsoft also noted that Storm-1865 targeted hotel guests in 2023 and has intensified its attacks since the beginning of 2023. The company advises hotel staff to carefully check sender email addresses, pay attention to spelling errors in emails, and always be wary of any messages asking them to take action.
Source: https://thanhnien.vn/microsoft-canh-bao-chien-dich-lua-dao-mao-danh-bookingcom-185250315075007781.htm
![[Photo] General Secretary To Lam attends the inauguration ceremony of Si Pa Phin multi-level boarding school.](/_next/image?url=https%3A%2F%2Fvphoto.vietnam.vn%2Fthumb%2F1200x675%2Fvietnam%2Fresource%2FIMAGE%2F2026%2F01%2F31%2F1769840655651_ndo_br_z7486540481209-f37c7e00a962aec2a061c64b7db569ef-jpg.webp&w=3840&q=75)
![OCOP during Tet season: [Part 3] Ultra-thin rice paper takes off.](/_next/image?url=https%3A%2F%2Fvphoto.vietnam.vn%2Fthumb%2F402x226%2Fvietnam%2Fresource%2FIMAGE%2F2026%2F01%2F28%2F1769562783429_004-194121_651-081010.jpeg&w=3840&q=75)
![OCOP during Tet season: [Part 2] Hoa Thanh incense village glows red.](/_next/image?url=https%3A%2F%2Fvphoto.vietnam.vn%2Fthumb%2F402x226%2Fvietnam%2Fresource%2FIMAGE%2F2026%2F01%2F27%2F1769480573807_505139049_683408031333867_2820052735775418136_n-180643_808-092229.jpeg&w=3840&q=75)
Comment (0)