Hotels, travel agencies, and other hospitality organisations have been subjected to a phishing campaign which aims to compromise financial accounts and credentials.

As part of an ongoing campaign, the security research team at Microsoft said that a threat actor known as Storm-1865 is behind an ongoing phishing attack that impersonates travel site Booking.com. The targets are hospitality companies that most likely to be working with Booking.com directly.

The threat actors use a technique known as "ClickFix." In this type of attack, the victim is presented with a fake error message pop-up or notification. The notification instructs the user to either visit a site or copy and paste a command that will lead to either an exploit or direct download of the malware package.

According to SC Media, such attacks are often more successful than other common methods because not only do they catch the user off guard with a seemingly official notification from the operating system, but also allow the attack to be carried out in a way that can fly under the radar of many antimalware tools.

Significant Threat

In a statement sent to SC UK, a spokesperson for Booking.com said: "Unfortunately phishing attacks by criminal organisations pose a significant threat to many industries. While we can confirm that Booking.com's systems have not been breached, we are aware that unfortunately some of our accommodation partners and customers have been impacted by phishing attacks sent by professional criminals, with the criminal intent of taking over their local computer systems with malware." 

Confirming that the actual numbers of accommodations affected by this scam "are a small fraction of those on our platform," Booking.com says it is continuing to make significant investments to limit the impact on our customers and partners. 

"We are also committed to proactively helping our accommodation partners and customers to stay protected," they said. "A lot of this is via education, informing our partners of the types of scams we are seeing while arming our customers with practical advice that they can apply as they search for and manage their holiday bookings.”

The statement said customers are encouraged to check the payment policy details on their booking confirmation to be sure that the message is legitimate, and to “report any suspicious messages to our 24/7 customer service team or by clicking on ‘report an issue’ which is included in the chat function. It is important to note that we would never ask a customer to share payment information via email, chat messages, text messages or phone.” 

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.