TelcoNews UK - Telecommunications news for ICT decision-makers
United Kingdom
Guides
#
5g & beyond
#
internet of things
#
software-defined networking
#
spacetech
#
unified communications
Search
Story image
#
Malware
#
Data Protection
#
Phishing

Fake booking sites push malware as HP warns of click fatigue

Yesterday
Author image
By Sean Mitchell, Publisher

HP Wolf Security has reported an increase in cyberattacks targeting people booking holidays, with attackers using fake Booking.com websites to distribute malicious software.

The company's latest Threat Insights Report highlights a series of campaigns in which users visiting spoofed travel booking websites are presented with a deceptive cookie banner, prompting them to click "Accept" to access the content. This action inadvertently downloads a malicious JavaScript file, resulting in an XWorm infection that allows attackers full control over the victim's device.

Spoofed booking sites

The report describes how these counterfeit websites closely imitate Booking.com, including branding and blurred content that appears legitimate at first glance. When users click to accept the cookies, a malicious process begins in the background.

"Since the introduction of privacy regulations such as GDPR, cookie prompts have become so normalized that most users have fallen into a habit of 'click-first, think later.' By mimicking the look and feel of a booking site at a time when holiday-goers are rushing to make travel plans, attackers don't need advanced techniques - just a well-timed prompt and the user's instinct to click," said Patrick Schläpfer, Principal Threat Researcher in the HP Security Lab.

The first signs of this campaign were detected in the first quarter of 2025, coinciding with the busy summer holiday booking season. The campaign remains active, with threat actors continuing to register new domains imitating booking services to target users during the peak period for travel arrangements.

Threat techniques

The report also covers a variety of other malware delivery methods identified through HP Wolf Security's research. One such technique involves the use of Windows Library files to disguise malware as seemingly harmless PDFs, placed in familiar local folders such as "Documents" or "Downloads." Victims may see a Windows Explorer pop-up displaying what appears to be a standard file, but clicking this shortcut initiates a malware download.

Another observed tactic uses malicious PowerPoint files. When opened in full-screen mode, the PowerPoint deck appears to replicate a normal folder window. If users attempt to close or escape the presentation, they trigger the download of a compressed archive containing a VBScript and an executable file, which connects to GitHub to download additional malware.

The report notes that MSI (Microsoft Installer) files are now frequently leveraged for malware delivery. Much of this activity has been linked to ChromeLoader campaigns, with MSI installers distributed through deceptive software sites and malicious advertising. These installers often use valid and recently generated code-signing certificates, which help them bypass Windows security warnings and appear legitimate to prospective victims.

Exploiting click fatigue

According to the report, attackers across all these campaigns are taking advantage of so-called "click fatigue" and routine user behaviours to bypass security measures. The normalisation of prompts such as cookie banners and other pop-ups has led users to respond reflexively, opening new avenues for cybercriminals to deceive even cautious individuals.

Dr. Ian Pratt, Global Head of Security for Personal Systems at HP, commented, "Users are growing desensitized to pop-ups and permission requests, making it easier for attackers to slip through. Often, it's not sophisticated techniques, but moments of routine that catch users out. The more exposed those interactions are, the greater the risk. Isolating high-risk moments, like clicking on untrusted content, helps businesses reduce their attack surface without needing to predict every attack."

Active campaign and user impact

The report states that HP Wolf Security customers have encountered over 50 billion email attachments, web pages, and downloaded files with no reported breaches, thanks to the product's use of virtualised containers that allow malware to detonate safely without impacting user devices.

The data used in the report was collected from millions of endpoints running HP Wolf Security between January and March 2025, and includes findings from an independent investigation by the HP Threat Research Team. The research offers insights into the most recent techniques criminals are using to evade traditional detection tools and compromise PCs.

The threat campaigns identified in the report remain active, especially those focusing on intercepting holiday bookings through spoofed travel sites. The findings underline the importance of continued vigilance among users, particularly during periods of heightened activity such as the busy summer travel season.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
UK firms report more breaches amid remote work, policy gaps
Milestone launches Project Hafnia for AI-driven city management
Email still vital for business despite messaging app surge
EvilProxy & ClickFix attacks pose new challenge for email security
Commvault boosts quantum-resilient security for data defence
Top stories
Cloudera urges telcos to invest in AI or risk falling behind
Volvo Cars selects HCLTech for strategic engineering services
Liberty Global taps CommScope for multigigabit DOCSIS upgrades
Audra Security launches in UK with focus on homes & small firms
NVIDIA to power European AI push with 3,000 exaflops initiative