Microsoft has uncovered a new phishing tactic called “ClickFix” that exploits human problem-solving tendencies to deploy malware. The cybercriminal group, tracked as Storm-1865, is using this method to target organizations worldwide, with a particular focus on the hospitality industry.
A Global Threat Disguised as Booking.com
Storm-1865 has been impersonating Booking.com to trick victims into executing malicious commands. Microsoft observed attacks in North America, Oceania, South and Southeast Asia, and Europe, demonstrating the group’s extensive reach.
The attack begins with an email that appears to be from Booking.com. The email may reference a negative review, an account verification request, or a promotional offer—anything that prompts the recipient to take action. Victims who click on the link are directed to a website mimicking Booking.com, complete with a fake CAPTCHA.
One sentence here to add a natural break.
This page then instructs users to open a Windows Run window and paste a copied command. Once executed, malware is downloaded onto the victim’s system. Microsoft has linked these infections to multiple malware families, all of which have capabilities to steal financial data and credentials.
Microsoft Sounds the Alarm
Security researchers at Microsoft first detected Storm-1865’s activities in December 2023. Despite awareness efforts, the attacks remain ongoing as of February 2024.
Microsoft warns that the phishing pages provide a false sense of security. Because they mimic real verification processes, victims may believe they are taking extra security precautions rather than falling for a scam.
The company advises users to verify email senders, check for typos, and inspect URLs before clicking links. Additionally, users should avoid pasting commands from unknown sources into their computers.
Booking.com Responds to the Threat
Booking.com has confirmed that while its internal systems have not been breached, phishing attempts have affected some of its accommodation partners and customers.
A spokesperson for the company stated, “The actual number of accommodations affected by this scam is a small fraction of those on our platform. We continue to invest significantly in security to limit the impact.”
Booking.com also reiterated that it never asks customers to share payment details via email, chat, text, or phone calls.
Why ClickFix Stands Out
While phishing scams are nothing new, ClickFix introduces a sophisticated layer of social engineering by incorporating fake security checks.
According to Chet Wisniewski, global field CTO at Sophos, ClickFix is an “outside-the-box” technique but may not be widely adopted due to its reliance on victim participation.
- Users need a moderate level of technical understanding to follow the attacker’s instructions.
- Those who are tech-savvy may recognize the scam, while less experienced users might not understand the instructions.
- Cybercriminals have long used deceptive tactics to bypass security measures, and ClickFix is just the latest example.
Wisniewski emphasizes the importance of raising awareness to prevent these attacks. He also recommends that IT administrators restrict administrative rights to limit damage from such scams.
Protecting Against ClickFix and Similar Scams
To defend against ClickFix, organizations and individuals should remain cautious of emails urging immediate action. Security experts advise:
| Security Measure | Reason |
|---|---|
| Verify sender details | Phishing emails often use fake addresses that resemble legitimate ones. |
| Check for typos | Scammers frequently make spelling or grammatical mistakes. |
| Inspect URLs | Hover over links before clicking to confirm they lead to legitimate sites. |
| Avoid running unknown commands | Never paste unfamiliar commands into your computer’s terminal or Run window. |
| Use two-factor authentication | Adds an extra layer of security to accounts. |
One short paragraph here to maintain flow.
Cybercriminals are constantly refining their methods, and ClickFix is another reminder that vigilance is key. Microsoft continues to monitor Storm-1865, but ultimately, awareness and good security habits are the best defense.
