- ClickFix phishing campaign targets hotels and guests with PureRAT malware
- Attackers exploit compromised Booking.com accounts and sell stolen credentials on Dark Web forums.
- Customers trapped on fake Booking/Expedia sites, losing their login and payment card details
Hotels and their guests are being targeted by a highly sophisticated ClickFix campaign aimed at spreading dangerous malware, stealing login credentials and carrying out fraudulent electronic transactions, experts have warned.
Cybersecurity researchers Sekoia revealed that attackers would first use random, compromised email accounts to send a phishing message to hotels and individual Booking.com account holders. The link in the message triggers a redirect chain that ultimately leads to a fake reCAPTCHA challenge, designed to trick victims into downloading and installing a remote access Trojan called PureRAT.
The attackers are careful to target the right people, Sekoia said. On dark web forums, such as LolzTeam, they purchase information about Booking.com property administrators and, in some scenarios, even offer a commission in exchange for valid contact details.
Steal credit card data
“Booking.com extranet accounts play a crucial role in fraudulent schemes targeting the hotel sector,” Sekoia researchers explain.
“As a result, the data collected from these accounts has become a lucrative commodity, regularly offered for sale on illicit markets.”
PureRAT is capable of all sorts of nasty things, from granting remote access to allowing attackers to control the mouse and keyboard. It can also control the webcam and microphone to capture both audio and video, record keystrokes, and upload/download additional files.
The attackers, however, appear to be using it to map hotel guests. Then they start sending them by mail, as well as sending personalized WhatsApp messages, containing real booking details to make the scams appear legitimate.
These messages also contain phishing links that redirect victims to fake Booking or Expedia sites where, if recipients log in, their credentials – as well as credit card information – are harvested.
We don’t know how many hotels or people were compromised by this campaign, but Sekoia says it has been active since at least April 2025 and operational by early October 2025.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
