ClickFix Email Scam Alert: Fake Booking.com Emails Deliver Malware

Cofense Intelligence uncovers a surge in ClickFix email scams impersonating Booking.com, delivering RATs and info-stealers. Learn how these sophisticated attacks trick users into running malware and what to watch out for.

Cybersecurity experts at Cofense Intelligence are warning hotel chains and other businesses in the food and accommodation sector about an email scam that mimics Booking.com. These deceptive emails are part of attack campaigns known as ClickFix, which aims to trick users into running malicious software.

The ClickFix campaign has been steadily gaining traction since November 2024, with a notable acceleration in recent months. According to Cofense’s analysis, a staggering 47% of the total campaign volume was observed in March 2025 alone.

The firm’s active threat reports (ATRs) indicate that 75% of all incidents involving fake CAPTCHAs utilized Booking.com-themed ClickFix templates. While Booking.com impersonations are most common, Cofense also noted less frequent variations, including those spoofing Cloudflare Turnstile and cookie consent banners.

The scam begins with an email containing a link to a fake CAPTCHA website. A CAPTCHA is usually a test designed to tell humans and computers apart, like typing distorted letters. In this case, however, the fake CAPTCHA is a trick. Instead of a real verification code, clicking on it delivers a harmful script to the user’s computer.

These ClickFix websites then instruct users to press specific keyboard shortcuts, typically Windows key + R, followed by Ctrl + V, and then Enter. This sequence opens the Run command in Windows, pastes the hidden malicious script, and then executes it. The malicious script often includes extra characters that look like a verification code to hide the real harmful commands.

These sites are cleverly designed to look like legitimate pages from well-known brands such as Booking.com and Cloudflare. Interestingly, the scam only targets Windows computers, and if accessed on other devices, the fake CAPTCHA sites will display a message indicating they only work on Windows.

Once the malicious script is run, it can install various types of dangerous software. The most common payload seen in these attacks is XWorm RAT, a type of Remote Access Trojan (RAT). For your information, RATs allow attackers to secretly control a victim’s computer from a distance.

Other frequently observed malware include Pure Logs Stealer and DanaBot, which are information stealers designed to swipe sensitive data. In some instances, both RATs and information stealers have been delivered in a single attack.

This ClickFix method is a concerning new tactic because it manipulates users into activating the malware themselves, without needing to download any files directly. It highlights the importance of being cautious about suspicious emails, even those that appear to be from trusted sources like Booking.com, and to always double-check the legitimacy of any verification steps or prompts that ask you to run commands on your computer.

For more detailed information on how to spot these ClickFix attacks, refer to Hackread.com’s guide on the techniques used to trick users and how to stay safe.