A sophisticated phishing campaign is actively targeting hotel and hostel staff by masquerading as Booking.com, deploying credential-stealing malware across North America, Southeast Asia, and Europe. The campaign, which began in December 2024 and remains ongoing through February 2025, exploits the hospitality sector’s reliance on the travel platform to infiltrate systems and steal sensitive data.
ClickFix: A Psychological Manipulation Tactic
According to a report by Microsoft, the attackers leverage a technique called ClickFix—a method designed to exploit human problem-solving tendencies. By presenting fake error messages and system prompts, the hackers trick victims into following instructions that ultimately lead to the execution of malicious commands.
Microsoft warns that this method allows cybercriminals to bypass automated security measures by convincing users to manually execute the attack. Victims are instructed to use a keyboard shortcut to open the Windows Run dialog, then paste and execute a malicious command copied from the phishing email or attachment.
The Threat Actor: Storm-1865
The operation has been attributed to the cybercriminal group Storm-1865, known for executing phishing campaigns that target payment data and facilitate fraudulent transactions. The malicious emails take various forms—some posing as complaints about bad guest reviews, others mimicking account verification requests or urgent inquiries from potential guests.
Many of these phishing emails contain links or PDF attachments that direct victims to a counterfeit Booking.com page. Upon interaction, victims encounter a fake CAPTCHA verification process, where the ClickFix technique initiates malware installation.
Widespread Malware Deployment
Microsoft’s investigation found that multiple malware strains are being deployed through this campaign, including:
- XWorm
- Lumma Stealer
- VenomRAT
- AsyncRAT
- Danabot
- NetSupport RAT
Each of these allows cybercriminals to exfiltrate financial data and login credentials, compromising both businesses and individuals.
Booking.com Responds
A spokesperson for Booking.com downplayed the scale of the attacks, claiming that only a small percentage of their accommodations have been affected. They emphasized that the company has invested significantly in cybersecurity to mitigate such threats.
“While we can confirm that Booking.com’s systems have not been breached, we are aware that some of our accommodation partners and customers have been impacted by phishing attacks carried out by professional criminals,” the spokesperson said. “These criminals are attempting to take over local computer systems with malware.”
A Pattern of Phishing Attacks
Storm-1865 has a history of leveraging Booking.com for phishing campaigns. In 2023, the group targeted hotel guests, while in 2024, they expanded their operations to e-commerce customers.
Microsoft has observed a sharp increase in these campaigns since early 2023, warning that threat actors are evolving their tactics. The company urges hospitality workers to take the following precautions:
- Verify sender email addresses carefully.
- Check for spelling errors or inconsistencies in emails.
- Be cautious of urgent requests requiring immediate action.
- Never execute commands from an unknown or unverified source.
The hospitality industry remains a prime target for cybercriminals, and vigilance is crucial to avoiding compromise.
Help us bring real change! Corporate lobbying has corrupted our system for too long, and it’s time to take action. Please sign and share this petition—your support is crucial in restoring accountability to our government. Every signature counts! Thank you!
https://www.ipetitions.com/petition/restore-our-republic-end-lobbying
Support truth, health, and preparedness by shopping the Alex Jones Store through our link. Every purchase helps sustain independent voices and earns us a 10% share to fuel our mission. Shop now and make a difference!
https://thealexjonesstore.com?sca_ref=7730615.EU54Mw6oyLATer7a
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
