A new form of cyberattack, known as Clickfix, is currently wreaking havoc on the hospitality industry, specifically targeting hotels and businesses within the sector across Europe. This sophisticated malware, identified as DCRat, is being deployed through a campaign named PHALT#BLYX, which is believed to be run by Russian-speaking cybercriminals. Its primary goal is to compromise hotel reservation systems by tricking employees into downloading malicious software via Windows Blue Screen of Death.
The attack begins in a seemingly harmless manner, with a pop-up alert appearing on the victim’s computer screen. This alert, often displayed on a hotel’s booking counter PC, claims that a guest wishes to cancel their reservation, citing a variety of reasons. The pop-up offers the victim the option to accept or deny the cancellation request, usually promising a small fee reduction if the request is accepted. While this may seem like a routine part of customer service, it’s the beginning of a well-crafted scam.
When the hotel employee interacts with the pop-up, either by accepting or declining the cancellation request, they are directed to a malicious link. This link then triggers a sequence that leads to the infamous ” Blue Screen of Death” (BSOD) error screen—a common and alarming Windows error that typically indicates a system crash or critical failure. However, in this case, it’s a deliberate part of the malware’s attack mechanism.
At this stage, the BSOD is merely a distraction, designed to convince the victim that their system has suffered a critical failure. The unsuspecting victim, unsure of how to proceed, is prompted by further on-screen instructions to download and install a specific file or software in an attempt to fix the issue. Unknowingly, this action activates the installation of a malicious payload—DCRat—on the victim’s computer.
DCRat is a remote access tool (RAT) that allows attackers to control the infected system from a distance. Once the malware is installed, it opens a backdoor to the system, enabling cybercriminals to monitor the victim’s activities, steal sensitive data, and even gain control over the hotel’s network. This can lead to severe consequences, ranging from financial losses to significant reputational damage for the business involved.
The malware is spread through search engines popular within the hospitality industry, such as Google Hotel Search, TripAdvisor, Trivago, and Booking.com. These platforms, which are frequently used by hotel staff to manage bookings and customer queries, have become the prime targets for this campaign. Researchers from cybersecurity firm Securonix have confirmed that this specific type of Clickfix attack is part of a broader effort to exploit vulnerabilities within the hospitality sector’s online infrastructure.
The sophistication of this attack is a reminder of the evolving threats that businesses face in the digital age. While it may seem like a simple customer service issue at first, this scam is a calculated attempt to breach hotel reservation systems and gain access to sensitive data. Hotel employees, especially those working at front desks or managing bookings, need to be vigilant and trained to recognize these types of threats in order to prevent further damage.
As cybercriminals continue to refine their tactics, businesses within the hospitality industry must remain proactive in securing their networks, training staff on cybersecurity best practices, and implementing robust security measures to defend against these increasingly deceptive attacks.
