Phishing Campaign Impersonates Booking.com

Deepak Gupta
Deepak Gupta

Co-founder/CEO

 
April 22, 2025 3 min read

Starting in December 2024, Microsoft Threat Intelligence identified a phishing campaign that impersonates the online travel agency Booking.com. This campaign targets organizations in the hospitality sector, employing a social engineering technique known as ClickFix to deliver credential-stealing malware. As of February 2025, this campaign remains active. The phishing attack specifically targets individuals in hospitality organizations across North America, Oceania, and Europe. Attackers send fake emails that appear to come from Booking.com, prompting users to address negative guest reviews or verify accounts. A screenshot of a email Image courtesy of Microsoft Security Blog In the ClickFix technique, users are presented with false error messages instructing them to copy, paste, and execute commands. This interaction can bypass standard security features. The phishing emails lead to a fake webpage that mimics Booking.com, displaying a CAPTCHA designed to trick users into executing malicious commands. A screenshot of a fake Booking.com webpage Image courtesy of Microsoft Security Blog The malicious code, executed via mshta.exe, downloads a variety of malware, including XWorm, Lumma stealer, and AsyncRAT, all capable of stealing financial data and credentials.

Recommendations for Defense

Organizations can mitigate the impact of phishing campaigns by educating users to recognize these threats:

  • Verify the sender’s email address.
  • Contact the service provider directly for suspicious messages.
  • Be cautious of urgent calls to action.
  • Hover over links to check the full URL.
  • Look for typos in the email content, which can be indicators of phishing.

For enhanced security, Microsoft recommends implementing phishing-resistant authentication methods and enforcing multi-factor authentication (MFA) across all accounts.

Malware Types Involved

The phishing campaign delivers various malware families:

  • XWorm: A remote access trojan that allows the attacker to take control of the victim's device.
  • Lumma Stealer: Focused on stealing sensitive information.
  • AsyncRAT: A remote access trojan known for its ability to capture keystrokes and access files.

Microsoft Defender Antivirus detects these threats as follows:

ClickFix Technique Explained

The ClickFix technique is a sophisticated method used in this phishing campaign. Users are misled into executing malicious commands by following instructions embedded in fake CAPTCHA pages. A screenshot of a contact us Image courtesy of Microsoft Security Blog When users copy and paste the commands into the Windows Run dialog, it can lead to the installation of various malware types. This tactic shows the evolving nature of phishing attacks and highlights the need for robust cybersecurity measures.

Implications for Cybersecurity Marketing

For companies in the cybersecurity sector, such as GrackerAI, there is a significant opportunity to address these emerging threats through targeted content marketing and threat monitoring. By leveraging insights from such phishing campaigns, GrackerAI can help organizations create relevant marketing materials and educate their audiences on the latest cybersecurity threats. GrackerAI is an AI-powered cybersecurity marketing platform designed to assist organizations in transforming security news into strategic content opportunities. It enables marketing teams to identify emerging trends, monitor threats, and produce technically relevant content that resonates with cybersecurity professionals. Explore our services at GrackerAI to enhance your cybersecurity marketing strategy.

Latest Cybersecurity Trends & Breaking News

Critical Vulnerability in Erlang/OTP SSH Implementation Automating Cybersecurity in Software Development with AI

Deepak Gupta
Deepak Gupta

Co-founder/CEO

 

Cybersecurity veteran and serial entrepreneur who built GrackerAI to solve the link between B2B SaaS product and search engine. Leads the mission to help cybersecurity brands dominate search results through AI-powered product-led ecosystem.

Related Articles

The Question Hub Strategy: How B2B SaaS Companies Capture AI Search Traffic

Learn how B2B SaaS companies use Question Hub strategy to capture ChatGPT, Claude & Perplexity traffic. 5-step process with real case studies & results.

By Deepak Gupta July 23, 2025 3 min read
Read full article

Google Adds Comparison Mode for Real-Time SEO Checks

Use Google’s new Search Console comparison mode for hourly SEO audits. Perfect for SaaS & cybersecurity marketers tracking real-time changes.

By Ankit Agarwal July 18, 2025 3 min read
Read full article

2025 Programmatic SEO Playbook: AI, Real-Time Data, and Market Domination

Master 2025 programmatic SEO with AI-powered content, real-time data integration, and dynamic optimization. Includes implementation guide and competitive advantages.

By Deepak Gupta July 6, 2025 10 min read
Read full article

Quality at Scale: How AI Solves Programmatic SEO's Biggest Challenge

Discover how AI transforms thin programmatic content into high-quality pages that survive Google's 2025 updates. Includes quality metrics and implementation guide.

By Deepak Gupta July 6, 2025 13 min read
Read full article