- Microsoft warns of a new phishing campaign that mimics booking.com
- It is targeted at companies in the hospitality sector
- The goal is to insert infosteals and Trojans
Hotels, resorts and other businesses in the hospitality sector are targeted with a sophisticated clickfix phishing campaign that mimics booking.com.
A new report from the Microsoft Threat Intelligence claims that the phishing campaign “is developing quickly” and targeting companies around the world.
The goal of the campaign is to steal people’s payment and personal data, which can lead to thread fraud and reputation damage to sacrificial organizations.
Storm-1865
First, the striker creates a booking.com-themed message email that discusses things like guest reviews or account serials. Companies that do not see scams are then redirected to a fake CAPTCHA puzzle, and if they resolve it, you will be asked for an error message. This fake error message also comes with a solution that includes copying a command and insertion/driving it in the RUN program.
Instead of solving the problem, the program is downloaded one of several malware tribes used in this campaign: Xworm, Lumma Stealer or Venous area. These are different types of malware with different features.
For example, while a friendship is a remote access Trojan that gives attackers unabated access to sacrifices, Lumma is an infoTealer that grabs login credentials and other secrets stored in the web browser and elsewhere on the device.
Microsoft attributed to the campaign to a threat actor, it tracks like Storm-1865, a group without previous record. The campaign apparently started in December 2024, and there is no information about how many companies – if any – fell for it.
Clickfix -svig has become more popular recently, and Techradar Pro has already reported on several occasions this year. It is a development of the old “IT technician” scam, where a victim is served a popup that mimics a reputable company that says their computer is broken/infected.
Popup shares a phone number that the victim can call to talk to an IT technician and sort the problem. The “technician” ends up installing malware.
While telephone winds are still alive, the clickfix campaign most focuses on the victim who performs most of the work and installs malware through a less obvious process (inserting a command into driving).
