Booking.com hosts are being targeted with dangerous credential-stealing malware, Microsoft warns. Scammers convincingly impersonate the platform to craft fraudulent emails about complaining guests, promotion opportunities, account verification, and other requests.
The ongoing phishing campaign has been running for the past several months. Scammers are blending their fraudulent emails with legitimate support requests from clients or Booking.com, including during some of the busiest travel days.
“This phishing attack specifically targets individuals in hospitality organizations in North America, Oceania, South and Southeast Asia, and Northern, Southern, Eastern, and Western Europe, that are most likely to work with Booking.com, sending fake emails purporting to be coming from the agency,” the Microsoft Threat Intelligence team said.
The fake emails look convincing. Some examples include “confused clients” asking about some negative reviews, bogus Booking.com warnings about negative feedback shared by the guests, or security alerts requiring verification of the account.
Cybercriminals create a sense of urgency, requiring victims to complete the verification process by the set deadline.
The hackers behind the attack hope that the victim will click on the provided button or link to resolve the issue. The so-called ClickFix technique takes advantage of human problem-solving tendencies.
When the victims attempt to resolve the fraudulent issues, the links lead to a webpage displaying fake CAPTCHA overlays on fraudulent Booking.com impersonations. The CAPTCHA instructs users to perform three steps: press two key combinations followed by Enter.
This is all it takes to open the Windows Run window, paste a malicious command, and run it.
The fake webpage “gives the illusion that Booking.com uses additional verification checks, which might give the targeted user a false sense of security and therefore increase their chances of getting compromised,” Microsoft explains.
The victim-launched command slips through conventional security features and eventually downloads and runs malware.
In this campaign, threat actors deploy very capable information stealers, including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT.
“All these payloads include capabilities to steal financial data and credentials for fraudulent use,” Microsoft warns.
The hackers behind the malicious activity are labeled Storm-1865. Since at least early 2023, this cluster of activity has conducted phishing campaigns, leading to payment data theft and fraudulent charges. It’s known to send messages through vendor platforms, such as online travel agencies, e-commerce platforms, and email services like Gmail or iCloud Mail.
Starting in December 2024, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking .com and delivers multiple credential-stealing malware used for financial fraud and theft. https://t.co/MPYWSzmiol
undefined Microsoft Threat Intelligence (@MsftSecIntel) March 13, 2025
How to protect yourself
The first line of defense is spotting phishing activity. Microsoft Treat intelligence team shared some recommendations that help to recognize fraudulent emails targeting hospitality workers:
- Examine the sender’s email address – hover over it to ensure that the full address is legitimate. Check if your email provider categorizes it as first-time, infrequent, or “[External].”
- Contact the service provider (i.e., Booking.com) directly using the official contact forms listed on the official website.
- Be wary of urgent calls to action or threats. Phishing attacks and scams often create a false sense of urgency to trick targets into acting without first scrutinizing the message’s legitimacy.
- Hover over links to observe the full URL – do not click. Simply clicking the link could let a threat actor download malware onto your device. Ensure the entire URL is legitimate. The best practice is to search for the company website directly in your browser and navigate from there rather than following a link from an email.
- Search for typos in URLs, email addresses, or elsewhere. While the email text may be splendid, phishing emails often come from fraudulent email domains or URLs. For example, you might see micros0ft[.]com, where the second o has been replaced by 0, or rnicrosoft[.]com, where the m has been replaced by r and n.
- Remember that legitimate organizations do not request personal or financial information via unsolicited phone calls or emails.
Other recommendations include enforcing multi-factor authentication where possible and using security solutions that check links, identify and block malicious websites, and guard against malware. There are solutions to block executable files or scripts from running.
Your email address will not be published. Required fields are markedmarked