Cybercriminal tactics are ramping up as hackers are posing as Booking.com to trick hotel and hostel employees into downloading credential-stealing malware.
The scam, which started in December 2024 and is still active, has been targeting hospitality workers in North America, Southeast Asia, and Europe. Cybercriminals send fake emails that appear to come from Booking.com, using urgent messages about bad guest reviews, booking requests, or account verifications to lure victims in.
Once a victim clicks on the email link, they’re taken to a fake CAPTCHA page and told to copy and paste a command into their computer, unwittingly installing malware.
Microsoft has identified multiple malware strains being used in the attack, including XWorm, Lumma Stealer, and VenomRAT, which can steal login details and financial information.
Why It Matters: Hotels and hostels handle large amounts of sensitive customer data, making them prime targets for cybercriminals. A single infected device can lead to stolen credit card details, fraudulent transactions, and even a complete system takeover. Microsoft has issued a warning to hospitality businesses, urging them to stay vigilant and take steps to protect their staff and systems.
- Fake Booking.com Emails: Hackers are sending phishing emails that closely mimic legitimate messages from Booking.com. Since hotel and hostel staff frequently interact with Booking.com, they may not question the emails’ authenticity. This makes it easier for cybercriminals to lure them into the scam.
- Tricky ClickFix Technique: Instead of using traditional malware attachments, hackers employ a social engineering trick called ClickFix. Because the action requires user interaction, it can sometimes bypass automated security filters. This method exploits human problem-solving instincts, making it particularly deceptive.
- Dangerous Malware Involved: Once the malicious command is executed, various types of malware can be installed on the victim’s device. Microsoft has identified strains like XWorm, Lumma Stealer, and AsyncRAT, all of which are designed to steal financial data, login credentials, and other sensitive information. Infected computers can then be used to conduct fraud, access corporate networks, or even spread malware to other systems.
- Ongoing Threat from Storm-1865: The cybercriminal group behind this campaign, Storm-1865, has a history of large-scale phishing attacks. In 2023, they targeted hotel guests using fake Booking.com emails, and in 2024, they went after e-commerce customers with similar scams.
- How to Stay Safe: Microsoft advises hospitality businesses to be extra cautious when receiving emails that ask for urgent action. Staff should verify email senders, check for typos or suspicious links, and avoid copying commands from unknown sources. Enabling multi-factor authentication (MFA) and using endpoint security tools like Microsoft Defender can help prevent malware infections. Regular employee training on phishing threats is also essential to reducing the risk of falling victim to such attacks.
