- ClickFix phishing campaign targets hotels and guests with PureRAT malware
- Attackers Exploit Compromised Booking.com Accounts and Sell Stolen Credentials on Dark Web Forums
- Guests tricked into fake Booking/Expedia sites and lost login and payment card data
Hotels and their guests are being targeted by a highly sophisticated ClickFix campaign that aims to deliver dangerous malware, steal login credentials and conduct fraudulent transfer transactions, experts have warned.
Cybersecurity researchers Sekoia revealed that the attackers would first use random, compromised email accounts to send hotels and various Booking.com account holders a phishing message. The link in the message triggers a redirect chain that ultimately leads to a fake reCAPTCHA challenge designed to trick victims into downloading and installing a remote access Trojan called PureRAT.
The attackers are careful to make sure they are targeting the right people, Sekoia explained. On dark web forums such as LolzTeam, they buy the information of Booking.com establishment administrators and in some scenarios even offer a cut in exchange for valid contact information.
Steal credit card data
“Booking.com extranet accounts play a crucial role in fraudulent schemes targeting the hotel industry,” explained Sekoia’s researchers.
“As a result, data collected from these accounts has become a lucrative commodity regularly offered for sale on illegal marketplaces.”
PureRAT is capable of all sorts of nasty things – from providing remote access to letting attackers control the mouse and keyboard. It can also control the webcam and microphone to record both audio and video, can log keystrokes and upload/download additional files.
However, the attackers appear to be using it to map the hotel’s customers. Then they start emailing them as well as sending personalized WhatsApp messages containing real booking details to make the scams appear legitimate.
These messages also contain phishing links that redirect victims to fake booking or Expedia websites where, if the recipients log in, their credentials – as well as credit card details – are captured.
We don’t know how many hotels or people were compromised by this campaign, but Sekoia says it has been active since at least April 2025 and operational from early October 2025.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
