Summary Points
-
Targeted Cyber Attacks: Researchers discovered a widespread campaign aimed at hotels, utilizing ClickFix attacks to infiltrate systems and steal customer data as part of broader assaults on the hospitality sector.
-
Phishing Tactics: Attackers exploited compromised Booking.com accounts to send phishing emails and messages, leveraging stolen customer data for legitimacy, ultimately leading to customer impersonation and credential theft.
-
Malware Deployment: The campaign disseminated infostealing malware and a remote access Trojan (RAT) named PureRAT, which facilitated extensive access to compromised systems and allowed for further malicious activity.
-
Secondary Victims: Following initial attacks, threat actors initiated downstream attacks targeting hotel customers through fraudulent communications, prompting them to verify banking details on phishing sites mimicking Booking.com.
[gptAs a technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ‘ClickFix Scam Targets Hotels, Spurs Customer Attacks’in short sentences using transition words, in an informative and explanatory tone, from the perspective of an insightful Tech News Editor, ensure clarity, consistency, and accessibility. Use concise, factual language and avoid jargon that may confuse readers. Maintain a neutral yet engaging tone to provide balanced perspectives on practicality, possible widespread adoption, and contribution to the human journey. Avoid passive voice. The article should provide relatable insights based on the following information ‘
Researchers have uncovered a broad campaign in which threat actors target hotels with ClickFix attacks to steal customer data as part of ongoing attacks against the hospitality sector that includes secondary attacks against the establishments’ customers.
Threat analysts at Sekoia.io uncovered the activity when a partner alerted them to a phishing campaign that used either emails sent from a hotel’s compromised Booking.com account or messages in WhatsApp, according to a report published Friday. Attackers had customer data, including personal identifiers and reservation details, which made their phishing attempts appear more legitimate.
After further analysis, the researchers realized the activity was part of a much broader campaign that started around April and was still active up to at least October involving a ClickFix attack spreading infostealing malware that targeted hotels and other lodging establishments, they said. The campaign enabled the theft of professional credentials granting access to booking platforms, such as Booking.com and Expedia.
“Threat actors then either sold the harvested credentials on cybercrime forums or leveraged them directly to send fraudulent emails to hotel customers, often as part of banking fraud schemes,” Jeremy Scion, Quentin Bourgue, and Sekoia Threat Detection Response (TDR) wrote in the report. Moreover, they uncovered “hundreds of malicious domains active for several months as of October 2025, demonstrating a resilient and likely profitable campaign,” according to the report.
Targeting Hospitality Sector
The initial attack against hotels uses a compromised email account to send malicious messages to multiple hotel establishments. In some instances, attackers alter the “From” header to impersonate Booking.com, while subject lines are often related to guest matters, including references to last-minute booking, listings, reservations, and the like.
The attack chain then using a redirection URL that ultimately leads to a ClickFix reCAPTACHA challenge in which users are prompted to copy a malicious PowerShell command. This command eventually leads to the deployment of infostealing and remote access Trojan (RAT) malware.
Sequoia.io cited March research from Microsoft that detailed attackers impersonating Booking.com in ClickFix attacks against hotels, noting that the campaigns are similar.
Cofense last June also detailed a ClickFix campaign targeting hotels that used lures regarding guests similar to the one Sekoia.io outlined. Cofense’s report noted the attacks delivered various infostealing and RAT malware as well, demonstrating consistent attack activity against the hospitality sector using ClickFix.
ClickFix Multi-Malware Delivery
ClickFix is an attack method first detailed by researchers at Proofpoint last year in which a compromised website shows users fake error messages by executing malicious code, tricking them into thinking they have to download or update software to address the issue. In reality, however, installing the “update” actually executes malware on their devices. Since its discovery, the vector has gained steady traction with threat actors.
In this campaign, the attack delivers infostealing malware that gathers various data from the compromised system, including key system information, and downloads files that lead to the launch of a RAT known as “PureRAT” for further malicious activity. The infostealer also reports status updates to its command-and-control (C2) infrastructure at each step of the attack to indicate the successful progression of the action, the researchers noted.
PureRAT is a modular malware-as-a-service (Maas) also known as PureHVNC and ResolverRAT. Once deployed, PureRAT capabilities include remote user interface access, mouse and keyboard control, webcam and microphone capture, keylogging, file upload/download, traffic proxying, data exfiltration, and remote execution of commands or binaries, according to the Sekoia.io report.
Downstream Customer Attacks
The ClickFix attacks against hotels have led to secondary attacks against their customers, with attackers contacting them via WhatsApp or email using legitimate reservation details of the target, according to the researchers.
“The message claimed an alleged security issue had occurred during the verification of the customer’s banking details and urged them to confirm their information,” they wrote. “To strengthen the credibility of the message, the attacker explained that this was a procedure implemented by Booking to protect against cancellations.”
Attackers then ask victims to validate banking details by visiting a URL, which led to the phishing page that mimics Booking.com’s typography and layout and which harvests the victim’s banking information.
Avoiding ClickFix Scams
The campaign is further evidence of the growing effectiveness of threat actors in various aspects of malicious activities, including social engineering in their targeting of Booking.com and hospitality sites, as well as use of related lures and commodity malware on cybercrime forums.
To help defenders avoid compromise, Sekoia.io included a list of indicators of compromise (IoCs) in the post related, including those associated with the Clickfix redirect URL, PowerShell URL, and payload; PureRAT staging and payload; and URLs involved in the phishing campaign against hotel customers.
As always, people should be suspicious of receiving unsolicited emails related to services they frequently use, and analyze them carefully even if they appear to come from a credible sender or service provider.
‘. Do not end the article by saying In Conclusion or In Summary. Do not include names or provide a placeholder of authors or source. Make Sure the subheadings are in between html tags of
[/gpt3]
Stay Ahead with the Latest Tech Trends
Dive deeper into the world of Cryptocurrency and its impact on global finance.
Stay inspired by the vast knowledge available on Wikipedia.
CyberRisk-V1
