Microsoft has recently unveiled an ongoing phishing campaign that specifically targets the hospitality sector by impersonating Booking.com. The campaign, named Storm-1865, has been operational since December 2024 and utilizes a social engineering technique known as ClickFix to distribute malware. Phishing emails are being sent to employees in the hospitality industry across various regions, containing fake Booking.com links that redirect users to a fraudulent CAPTCHA page. This deceptive page then prompts victims to execute a command that initiates the download of malicious payloads, including dangerous malware like XWorm, Lumma stealer, and VenomRAT.
The ClickFix technique manipulates users into copying and pasting a command that exploits Windows’ legitimate mshta.exe binary. By employing this method, the campaign manages to bypass traditional email security protocols like DMARC enforcement, making it challenging for automated security systems to detect the threat. Microsoft’s threat intelligence team has noted the evolution of this tactic over time, transitioning from targeting e-commerce platforms to leveraging the ClickFix method for more successful phishing campaigns. This advancement underscores a growing sophistication in circumventing standard security measures.
The Storm-1865 campaign, which has victimized both purchasers and employees within the hospitality sector, represents the most recent example in a series of ClickFix-based attacks. This technique has gained popularity among cybercriminals and even state-sponsored groups like APT28 and MuddyWater. Harnessing user trust and behavior, ClickFix effectively evades many automated defenses, making it a potent weapon for malware dissemination.
With the escalation of such attacks, the industry has witnessed a proliferation of new campaigns utilizing fake CAPTCHA verifications to drop infostealers such as Lumma and Vidar. The efficacy of ClickFix is evident in its swift adoption by diverse threat actors, highlighting its minimal technical requirements and high success rate. By exploiting user actions and placing the burden of execution on the victim, ClickFix increases the likelihood of malware infection. In addition to the Storm-1865 campaign, recent phishing assaults have employed similar strategies, such as using counterfeit Google reCAPTCHA challenges and fake booking confirmations to deliver malware. These tactics underscore a prevalent trend in social engineering schemes that exploit user trust and browser functionalities for malicious intents.
In conclusion, the Storm-1865 phishing campaign showcases the growing threat posed by malicious actors in targeting the hospitality industry through deceptive tactics like ClickFix. As cybercriminals continue to evolve and refine their strategies, organizations and individuals must remain vigilant against such sophisticated attacks to safeguard their sensitive information and networks from potential harm.