The ClickFix attack is a sophisticated phishing campaign that impersonates Booking.com to deliver infostealers and Remote Access Trojans (RATs) to hospitality workers. This phishing attack specifically targets individuals in hospitality organizations in North America, Oceania, South and Southeast Asia, and Northern, Southern, Eastern, and Western Europe, who are most likely to work with Booking.com. Attackers send fake emails purporting to be from the agency, tricking recipients into executing malicious commands that compromise their systems. This campaign, active since December 2024, aims to hijack employee accounts on the platform to steal customer payment details and personal information, potentially leading to further attacks on guests.

Understanding the ClickFix Technique

ClickFix is a relatively new social engineering attack that displays fake errors on websites or in phishing documents, prompting users to perform a “fix” or “captcha” to view the content. These fake fixes are actually malicious commands that download and install infostealing malware and RATs on Windows and Mac devices. This technique has gained popularity among various threat actors, including ransomware gangs and North Korean hackers. It exploits human problem-solving tendencies and can bypass conventional security measures that rely on automated detection.

Anatomy of the Attack

In this campaign, attackers send emails impersonating Booking.com, pretending to be guests inquiring about a negative review, requests from prospective clients, or account verification alerts.

These emails contain either a PDF attachment with a link or an embedded button, both leading the victim to a fake CAPTCHA page. The fake CAPTCHA adds a false sense of legitimacy, hoping to trick recipients into lowering their guard. 

When solving the malicious CAPTCHA, a hidden command is copied to the Windows clipboard to perform the “human verification” process. The target is instructed to open the Windows Run command, paste the clipboard’s contents into the Run field, and execute it. The victims only see keyboard shortcuts, not the content copied to the clipboard, so they have no indication they’re about to execute a command on their system. This method is particularly effective against individuals with less experience with computers.

Executing the command downloads and installs a variety of malware, including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. These payloads have capabilities to steal financial data and credentials for fraudulent use, which is characteristic of Storm-1865 activity. Microsoft Threat Intelligence has confirmed that this campaign is part of an ongoing effort by cybercriminals to compromise business accounts and steal sensitive information. 

Implications for the Hospitality Industry

The hospitality industry is particularly vulnerable to such attacks due to the high volume of customer interactions and the reliance on online booking platforms. Compromised employee accounts can lead to unauthorized access to sensitive customer information, resulting in financial losses and reputational damage. Moreover, stolen customer data can be used to launch further attacks on guests, amplifying the impact of the initial breach.

These attacks also enable cybercriminals to leverage stolen credentials for further fraud and espionage campaigns. Threat actors may sell this data on dark web marketplaces, providing opportunities for additional cyber threats beyond the initial breach.

Recommendations for Mitigation

To defend against these attacks, it is crucial for organizations to implement comprehensive security measures:

• Verify Sender Legitimacy: Always confirm the legitimacy of the sender’s address, especially when receiving unsolicited emails related to account verification or customer inquiries. 
• Be Cautious with Urgent Requests: Exercise caution when met with urgent calls to action, as attackers often create a sense of urgency to prompt quick, unconsidered responses. 
• Look for Typos and Inconsistencies: Be vigilant for typos or inconsistencies in emails that could indicate phishing attempts. 
• Independently Verify Account Status: Verify the Booking.com account status and pending alerts by logging in on the platform independently instead of following links from emails. 
• Implement Multi-Factor Authentication (MFA): Enable MFA on all accounts to add an extra layer of security, making it more difficult for attackers to gain unauthorized access. 
• Educate Employees: Conduct regular training sessions to educate employees about phishing tactics and the importance of not executing unsolicited commands or opening suspicious attachments. 
• Deploy Advanced Threat Detection: Use endpoint detection and response (EDR) solutions to detect and mitigate malicious activities before they can cause harm. 
• Monitor for Unusual Account Activity: Regularly audit login activity and look for signs of compromised accounts, such as logins from unexpected locations or devices.

Final Thoughts

The ClickFix attack demonstrates how cybercriminals continue to refine their methods, making it crucial for businesses to stay ahead of emerging threats. The evolving nature of these phishing campaigns highlights the importance of ongoing cybersecurity awareness and proactive security measures. By understanding these tactics and implementing robust security strategies, organizations can better protect themselves and their customers from these malicious campaigns.