The sophisticated phishing campaign is believed to have started in December 2024 and continued until February 2025, targeting hospitality workers in North America, Southeast Asia, and Europe. The attackers are exploiting employees’ relationships with Booking.com, especially those who frequently open emails from the travel platform.
Microsoft recommends that hotel staff carefully check the sender's email address.
According to a new report from Microsoft, the campaign uses a technique called “ClickFix.” Fraudsters create fake error messages to trick users into copying, pasting, and running commands on their computers, which then download malware. Microsoft warns that “the need for user interaction can help these attacks bypass common security measures.”
Specifically, users are asked to use a keyboard shortcut to open the Windows Run window, then paste and run the command provided by the phishing page. Researchers have identified Storm-1865 as the criminal group behind this campaign, which has carried out many other phishing attacks aimed at stealing payment data and making fraudulent transactions.
Malicious emails typically contain content related to negative customer reviews, account verification requests, or information from potential customers. Most emails include a link or PDF attachment that leads to a fake CAPTCHA page where the attacker deploys the ClickFix program. When the victim clicks on the link, the malware is downloaded to their device.
Warning of fraud in installing public service applications to integrate driving license points
Microsoft has detected several different types of malware used in these attacks, including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT, all of which allow hackers to steal financial information and login credentials.
Booking.com's response
A Booking.com representative said the number of properties affected by this scam is a small fraction of the total number on their platform. The company has made significant investments to minimize the impact on customers and partners. They said Booking.com’s systems were not breached, but some partners and customers have fallen victim to phishing attacks.
Microsoft also noted that Storm-1865 targeted hotel guests in 2023 and has ramped up its attacks since early 2023. The company recommends that hotel staff double-check the sender's email address, pay attention to misspellings in emails, and remain wary of any messages asking them to take action.
Source: https://thanhnien.vn/microsoft-canh-bao-chien-dich-lua-dao-mao-danh-bookingcom-185250315075007781.htm
Comment (0)