Phishing Campaign Impersonates Booking.com

Deepak Gupta
Deepak Gupta

Co-founder/CEO

 
April 22, 2025 3 min read

Starting in December 2024, Microsoft Threat Intelligence identified a phishing campaign that impersonates the online travel agency Booking.com. This campaign targets organizations in the hospitality sector, employing a social engineering technique known as ClickFix to deliver credential-stealing malware. As of February 2025, this campaign remains active. The phishing attack specifically targets individuals in hospitality organizations across North America, Oceania, and Europe. Attackers send fake emails that appear to come from Booking.com, prompting users to address negative guest reviews or verify accounts. A screenshot of a email

Image courtesy of Microsoft Security Blog In the ClickFix technique, users are presented with false error messages instructing them to copy, paste, and execute commands. This interaction can bypass standard security features. The phishing emails lead to a fake webpage that mimics Booking.com, displaying a CAPTCHA designed to trick users into executing malicious commands. A screenshot of a fake Booking.com webpage
Image courtesy of Microsoft Security Blog The malicious code, executed via mshta.exe, downloads a variety of malware, including XWorm, Lumma stealer, and AsyncRAT, all capable of stealing financial data and credentials.

Recommendations for Defense

Organizations can mitigate the impact of phishing campaigns by educating users to recognize these threats:

  • Verify the sender’s email address.
  • Contact the service provider directly for suspicious messages.
  • Be cautious of urgent calls to action.
  • Hover over links to check the full URL.
  • Look for typos in the email content, which can be indicators of phishing.

For enhanced security, Microsoft recommends implementing phishing-resistant authentication methods and enforcing multi-factor authentication (MFA) across all accounts.

Malware Types Involved

The phishing campaign delivers various malware families:

  • XWorm: A remote access trojan that allows the attacker to take control of the victim's device.
  • Lumma Stealer: Focused on stealing sensitive information.
  • AsyncRAT: A remote access trojan known for its ability to capture keystrokes and access files.

Microsoft Defender Antivirus detects these threats as follows:

ClickFix Technique Explained

The ClickFix technique is a sophisticated method used in this phishing campaign. Users are misled into executing malicious commands by following instructions embedded in fake CAPTCHA pages. A screenshot of a contact us

Image courtesy of Microsoft Security Blog When users copy and paste the commands into the Windows Run dialog, it can lead to the installation of various malware types. This tactic shows the evolving nature of phishing attacks and highlights the need for robust cybersecurity measures.

Implications for Cybersecurity Marketing

For companies in the cybersecurity sector, such as GrackerAI, there is a significant opportunity to address these emerging threats through targeted content marketing and threat monitoring. By leveraging insights from such phishing campaigns, GrackerAI can help organizations create relevant marketing materials and educate their audiences on the latest cybersecurity threats. GrackerAI is an AI-powered cybersecurity marketing platform designed to assist organizations in transforming security news into strategic content opportunities. It enables marketing teams to identify emerging trends, monitor threats, and produce technically relevant content that resonates with cybersecurity professionals. Explore our services at GrackerAI to enhance your cybersecurity marketing strategy.

Latest Cybersecurity Trends & Breaking News

Critical Vulnerability in Erlang/OTP SSH Implementation Automating Cybersecurity in Software Development with AI

Deepak Gupta
Deepak Gupta

Co-founder/CEO

 

Deepak Gupta is a technology leader with deep experience in enterprise software, identity systems, and security-focused platform architecture. Having led CIAM and authentication products at a senior level, he brings strong expertise in building scalable, secure, and developer-ready systems. At Gracker, his work focuses on applying AI to simplify complex technical workflows while maintaining the accuracy, reliability, and trust required in cybersecurity and B2B environments.

Related Articles

Speed-to-Lead for Inbound: Simple Rules That Increase Conversions
speed to lead inbound

Speed-to-Lead for Inbound: Simple Rules That Increase Conversions

Discover simple rules to increase conversions by improving speed to lead and prioritizing high-intent prospects.

By Nikita Shekhawat March 2, 2026 10 min read
common.read_full_article
AI-Powered Enterprise Legal Management Software for In-House Counsel
AI-powered legal management software

AI-Powered Enterprise Legal Management Software for In-House Counsel

Explore AI-powered enterprise legal management software designed to help in-house counsel streamline workflows, reduce risk, and improve compliance.

By Abhimanyu Singh February 26, 2026 6 min read
common.read_full_article
How Manufacturing Brands Can Get Cited in AI Search Results
Manufacturing AI search

How Manufacturing Brands Can Get Cited in AI Search Results

Learn how manufacturing brands can optimize content and structured data to get cited in AI search results and boost visibility.

By Mohit Singh Gogawat February 26, 2026 10 min read
common.read_full_article
Why Credible Businesses Win in AI-Driven Discovery
Business credibility in AI search

Why Credible Businesses Win in AI-Driven Discovery

Discover why credible businesses outperform competitors in AI-driven discovery by building trust, authority, and high-quality digital signals.

By David Brown February 25, 2026 8 min read
common.read_full_article