Fake blue screen of death malware targets the hospitality industry

Sponsored by

Your machine data knows things: Unlock it with Splunk and get game-changing insights—plus a critical resource to power AI. Tapping into machine data can boost your security and reliability. See more.

It’s the moment we all dread: Your laptop flashes the infamous blue screen of death. But in this case, it isn’t a critical system error fixed by a few keystrokes. Instead, you’ve unintentionally installed malware on your device.

Campaign summary. That’s the core of a new malware campaign dubbed PHALT#BLYX, which was revealed by Securonix threat researchers in a Jan. 5 blog post. The researchers claim to have seen the PHALT#BLYX campaign evolve from an easy-to-detect infection chain into its now-sophisticated form, with a focus during this past holiday season on the hospitality industry.

The attack is straightforward: Victims receive an email that appears to come from hotel booking website Booking.com, notifying them of a reservation cancellation and soliciting a large fee. The email causes the victim, who’s likely panicked, to click the link leading to a malicious domain impersonating Booking.com, complete with a fake error message. (The emails’ fake room charges are in Euros, suggesting the campaign is targeting people in Europe.)

Victims are then prompted to click a “refresh” button, which triggers a fake blue screen of death page with instructions on how to fix their computer. If they follow those commands, a malicious PowerShell script is copied to their clipboard, which runs the malware on their device—a move commonly known as a ClickFix attack.

The Securonix researchers said the malicious domain used in the ploy continues to be “largely undetected” by security vendors. “At the time of this analysis, the site is still live and accessible, bypassing most web filters and allowing the attackers to reach victims without being blocked by standard browser protections,” they wrote.

Sage Hunter, a spokesperson for Booking.com, told IT Brew in an e-mailed statement that the company is aware of the current phishing activity leveraging its brand and confirmed their systems have not been compromised. The company encouraged consumers to “remain vigilant.”

Southern hospitality? Not quite. The PHALT#BLYX campaign joins the slew of attacks against the hospitality industry. Last year, IT Brew reported how cyberattackers are leveraging AI and deepfake technology to deliver more personalized attacks. Some North American hotels are experiencing up to five attempted attacks during the summer season.

“In an industry that’s built on customer trust, the attackers are targeting the very channels that people rely on: all of the confirmation emails, SMS updates that they get, and mobile apps to deliver all of this malicious content that we’re seeing,” Pam Lindemoen, chief security officer and VP of strategy at the cyber intelligence-sharing group Retail and Hospitality Information Security and Analysis Center (RH–ISAC), told IT Brew in July.

Don’t be blue! Securonix researchers recommend organizations take several actions to remain safe amid the ongoing campaign. For one, companies can start by bolstering user awareness of ClickFix attacks. The researchers also recommended individuals use heightened caution when receiving emails that appear to come from hospitality companies and to increase monitoring efforts. Specifically, they suggested, “Monitor for the creation of suspicious file types (‘.proj’, ‘.exe’) in ‘%ProgramData%’ and Internet Shortcut files (‘.url’) in the Startup folder.”