A sophisticated phishing campaign, masquerading as legitimate emails from Booking.com, is targeting hospitality employees
Mar 14, 2025
Hotels worldwide are being targeted by cybercriminals posing as Booking.com in an ongoing phishing campaign aimed at stealing credentials and financial data. Since December 2024, attackers using the “ClickFix” method trick victims into manually launching malware, bypassing standard security measures.
Key takeaways
- Global phishing campaign: Hospitality workers in North America, Southeast Asia, and Europe have been targeted since December 2024 by criminals impersonating Booking.com.
- ClickFix technique: Attackers exploit human tendencies to follow instructions in fake error messages, causing victims to copy and paste malicious commands into their systems, downloading credential-stealing malware.
- Multiple malware strains: Malware variants deployed include XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT, all capable of stealing sensitive financial information and login credentials.
- Storm-1865 group: The campaign is linked to Storm-1865, known for previous phishing attacks targeting hotel guests and e-commerce users.
- Booking.com response: Booking.com confirmed its systems weren’t breached, emphasized minimal overall impact, but acknowledged some partners and customers had fallen victim to the attacks.
- Preventative measures: Microsoft advises hospitality staff to scrutinize email addresses, watch for typos, and avoid responding hastily to messages prompting immediate action.
Get the full story at DigitNews
