Cybercriminals Impersonate Booking.com In New Phishing Attack

Microsoft has identified an ongoing phishing campaign targeting hotel and hostel staff by impersonating the travel agency Booking.com.

Microsoft’s security team identified the campaign in December 2024, just before the busy holiday travel season. The scam is still active as of February 2025, affecting organizations across North America, Europe, Oceania, and parts of Asia.

The attackers send fake emails that appear to be from Booking.com, referencing negative guest reviews, urgent booking requests, or account verification needs. These emails contain links leading to a deceptive webpage designed to resemble Booking.com.

On this fake website, victims are prompted to complete a CAPTCHA verification, but instead of a real security check, they are instructed to open a special command window on their computer and paste in a provided code. This action downloads and executes malware that can steal sensitive information.

The malware delivered in this attack includes several well-known hacking tools, such as XWorm, VenomRAT, and AsyncRAT.

These programs allow cybercriminals to take control of infected devices, capture passwords, and commit financial fraud. Microsoft has linked this activity to a hacker group it calls Storm-1865, which has previously targeted e-commerce platforms and hotel guests using similar tactics.

The addition of this new method, known as ” ClickFix,” shows how attackers are evolving to bypass security defenses. By making the victim take specific actions, such as copying and pasting code, they can avoid automatic detection by email filters and antivirus software.

A Booking.com spokesperson clarified that the attack does not involve a security breach on their platform.

“While we can confirm that Booking.com’s systems have not been breached, we are aware that unfortunately some of our accommodation partners and customers have been impacted by phishing attacks sent by professional criminals, with the criminal intent of taking over their local computer systems with malware,” they said, reported The Record.

Microsoft advises businesses to enforce multi-factor authentication, use email filtering tools to scan for phishing attempts, and ensure staff are trained to recognize suspicious emails. With cybercriminals constantly refining their tactics, staying vigilant against phishing attacks is crucial, especially in industries that handle sensitive customer data.