The **ClickFix phishing campaign** targeted **Booking.com** and its affiliated hotels by exploiting compromised accounts to distribute **PureRAT malware** via phishing emails and WhatsApp messages. Attackers purchased stolen **Booking.com administrator credentials** from dark web forums (e.g., LolzTeam) to craft convincing scams. Victims—both hotels and guests—were lured into fake **Booking/Expedia login pages**, where their **login credentials and payment card data** were harvested. The malware (**PureRAT**) enabled remote access, keystroke logging, and surveillance via webcam/microphone, allowing attackers to map hotel customer databases for further fraud. Fraudulent wire transactions were also executed using stolen data. The campaign, active since at least **April 2025**, leveraged real reservation details to enhance credibility, amplifying financial and reputational damage. While the exact scale of compromise remains undisclosed, the attack disrupted trust in Booking.com’s platform, exposed sensitive customer financial data, and enabled downstream fraud against hotels and guests.
Booking.com cybersecurity rating report: https://www.rankiteo.com/company/booking.com
"id": "boo1502015111225",
"linkid": "booking.com",
"type": "Cyber Attack",
"date": "4/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Hospitality/Travel',
'location': 'Global',
'name': 'Booking.com',
'type': 'Online Travel Agency (OTA)'},
{'industry': 'Hospitality/Travel',
'location': 'Global',
'name': 'Expedia',
'type': 'Online Travel Agency (OTA)'},
{'industry': 'Hospitality',
'location': 'Global',
'name': 'Unspecified Hotels',
'type': 'Hospitality Business'},
{'location': 'Global',
'name': 'Hotel Guests',
'type': 'Individual Consumers'}],
'attack_vector': ['compromised email accounts',
'phishing links',
'fake reCAPTCHA challenge',
'malware download (PureRAT)',
'personalized WhatsApp messages',
'fake Booking/Expedia websites'],
'data_breach': {'data_exfiltration': ['credentials sold on dark web forums '
'(e.g., LolzTeam)'],
'personally_identifiable_information': ['potentially included '
'(names, contact '
'details, payment '
'info)'],
'sensitivity_of_data': ['high (financial and personal data)'],
'type_of_data_compromised': ['login credentials',
'payment card information',
'reservation details']},
'date_publicly_disclosed': '2025-10-01',
'description': 'Attackers exploit compromised Booking.com accounts and sell '
'stolen credentials on dark web forums. Guests are tricked '
'into fake Booking/Expedia sites, losing login and payment '
'card data. Hotels and their guests are targeted by a '
'sophisticated ClickFix campaign delivering PureRAT malware, '
'stealing credentials, and enabling fraudulent wire '
'transactions. The campaign involves phishing emails, fake '
'reCAPTCHA challenges, and personalized WhatsApp messages with '
'real reservation details to deceive victims. PureRAT grants '
'remote access, keystroke logging, and data exfiltration '
'capabilities. The campaign has been active since at least '
'April 2025 and remains operational as of early October 2025.',
'impact': {'brand_reputation_impact': ['potential loss of trust in '
'Booking.com and affected hotels'],
'data_compromised': ['login credentials',
'payment card data',
'reservation details'],
'identity_theft_risk': ['high (due to stolen credentials and '
'payment data)'],
'payment_information_risk': ['high (credit card data stolen)']},
'initial_access_broker': {'backdoors_established': ['PureRAT malware'],
'data_sold_on_dark_web': ['Booking.com extranet '
'account credentials'],
'entry_point': ['compromised Booking.com accounts',
'purchased administrator contact '
'info from dark web'],
'high_value_targets': ['hotel administrators',
'Booking.com account holders',
'hotel guests']},
'investigation_status': 'Ongoing (as of October 2025)',
'motivation': ['financial gain', 'data theft', 'fraudulent transactions'],
'post_incident_analysis': {'root_causes': ['successful phishing attacks',
'lack of MFA on Booking.com '
'accounts',
'trust in legitimate-looking '
'communications']},
'references': [{'source': 'TechRadar Pro'},
{'source': 'Sekoia Cybersecurity Research'}],
'response': {'third_party_assistance': ['Sekoia (cybersecurity research)']},
'title': 'ClickFix phishing campaign targets hotels and guests with PureRAT '
'malware',
'type': ['phishing',
'malware (PureRAT)',
'credential theft',
'fraud',
'data breach'],
'vulnerability_exploited': ['human trust (social engineering)',
'compromised Booking.com accounts',
'lack of multi-factor authentication (MFA)']}