Booking Scam: Guest Services, Financial and Credential Disservice

Cybercriminals have set their sights on the hospitality sector, weaponizing fraudulent Booking.com emails to distribute malware through an advanced social engineering method known as ClickFix. The Storm-1865 campaign manipulates hotel and travel agency employees into executing malicious code disguised as a simple error resolution process.

This sophisticated phishing scheme bypasses traditional cybersecurity defenses, using human psychology rather than technical exploits. By leveraging well-known brands and trusted booking services, attackers exploit businesses’ financial systems, guest records, and employee credentials, resulting in data breaches, system compromise, and fraudulent transactions.

Hospitality Sector Under Attack

Hotels, resorts, and travel agencies across North America, Europe, Oceania, and Asia have fallen victim to this campaign. Storm-1865 operators carefully craft emails that mimic Booking.com’s branding, language, and formatting, making the scam difficult to detect. These messages often warn of negative guest reviews or urgent booking issues, prompting employees to take immediate action.

How Victims Are Targeted

1. Employees in customer service roles receive a phishing email about a fake Booking.com complaint.

2. The email includes a malicious link or a PDF attachment with a URL that appears legitimate.

3. Clicking the link leads to a fake CAPTCHA page, increasing the attack’s credibility.

4. Victims are instructed to copy and paste a command into their system’s Run dialog box, unknowingly executing malware.

Consequences for Businesses

• Credential Theft: Attackers extract employee login credentials, giving them access to guest databases, payment portals, and internal systems.

• Financial Fraud: Cybercriminals steal billing information, process unauthorized transactions, and exploit corporate banking accounts.

• Data Breach Risks: Stolen guest records could lead to identity theft, legal repercussions, and regulatory penalties for non-compliance with data protection laws.

The widespread nature of this campaign suggests a high degree of automation and scalability, allowing Storm-1865 to target multiple regions simultaneously.

ClickFix Deception: Manipulating Human Behavior

Unlike conventional phishing, ClickFix exploits human psychology rather than technical vulnerabilities. By presenting victims with a familiar and seemingly trustworthy error-resolution process, cybercriminals shift the burden of execution onto the user, effectively bypassing automated security controls.

How ClickFix Works

1. Fake CAPTCHA Verification – Victims believe they are verifying their identity on Booking.com, but the CAPTCHA is a deceptive overlay.

2. Copy-Paste Malicious Code – The page instructs users to copy a command into the Windows Run dialog, unknowingly launching malware.

3. PowerShell Execution – The malware executes via PowerShell, allowing attackers to deploy remote access trojans (RATs), keyloggers, and credential stealers.

4. Undetected Malware Installation – The script downloads and installs malware such as:

• XWorm RAT: Grants attackers full system control.

• Lumma Stealer: Extracts login credentials, financial records, and browser session cookies.

• VenomRAT: Used for keylogging, remote execution, and persistence.

Why ClickFix Is Dangerous

• Bypasses traditional phishing defenses by making users execute the malware themselves.

• Mimics real security features (like CAPTCHA pages) to gain user trust.

• Executed via legitimate system processes (e.g., PowerShell) to avoid detection.

The attack is not just highly effective but also difficult to mitigate, as it relies on user actions rather than software vulnerabilities.

Blocking the Breach: Defensive Measures

With phishing evolving into complex social engineering tactics, businesses must shift towards employee-focused security training and proactive threat detection.

Key Security Strategies

• Employee Training & Awareness.

• Teach staff to identify phishing attempts disguised as urgent customer complaints.

• Educate employees on ClickFix tactics, including fake CAPTCHAs and script-based phishing techniques.

• Conduct simulated phishing exercises to test real-world response rates.

• Technical Security Controls.

• Restrict script execution policies to prevent unauthorized PowerShell activity.

• Implement behavior-based monitoring to detect suspicious clipboard activity (i.e., users copy-pasting unknown commands).

• Enforce multi-factor authentication (MFA) on all Booking.com and payment system logins.

• Use email filtering solutions to block messages containing deceptive links or suspicious PDF attachments.

• Incident Response & Threat Intelligence.

• Deploy endpoint detection and response (EDR) solutions to identify and neutralize RAT infections.

• Establish a zero-trust security model, ensuring employees operate under least privilege access principles.

• Monitor network traffic anomalies, particularly unusual outbound connections to command-and-control (C2) servers.

The ClickFix technique represents a dangerous evolution in phishing, proving that users—not just software—are the primary attack vector. Cybercriminals exploit trust, urgency, and deception, making education and proactive security critical defenses.

https://thehackernews.com/2025/03/microsoft-warns-of-clickfix-phishing.html?m=1