Booking.com Breach Incident Score: Analysis & Impact (BOO1502015111225)

In this Rankiteo incident briefing, we review the Booking.com breach identified under incident ID BOO1502015111225.

The analysis begins with a detailed overview of Booking.com's information like the linkedin page: https://www.linkedin.com/company/agoda, the number of followers: 1046751, the industry type: Software Development and the number of employees: 15885 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 790 and after the incident was 790 with a difference of 0 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Booking.com and their customers.

On 01 October 2025, Booking.com disclosed phishing, malware (PureRAT) and credential theft issues under the banner "ClickFix phishing campaign targets hotels and guests with PureRAT malware".

Attackers exploit compromised Booking.com accounts and sell stolen credentials on dark web forums.

The disruption is felt across the environment, and exposing login credentials, payment card data and reservation details.

Formal response steps have not been shared publicly yet.

The case underscores how Ongoing (as of October 2025).

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing Link (T1566.002) with high confidence (95%), with evidence including phishing emails and WhatsApp messages with fake Booking/Expedia login pages, and personalized WhatsApp messages with real reservation details and Valid Accounts: Cloud Accounts (T1078.004) with high confidence (90%), with evidence including purchased stolen Booking.com administrator credentials from dark web forums, and compromised Booking.com accounts used to distribute PureRAT malware. Under the Credential Access tactic, the analysis identified Unsecured Credentials: Credentials In Files (T1552.001) with moderate to high confidence (85%), with evidence including credentials sold on dark web forums (e.g., LolzTeam), and booking.com extranet account credentials harvested and Credentials from Password Stores: Credentials from Web Browsers (T1555.003) with moderate to high confidence (80%), supported by evidence indicating pureRAT malware enabled keystroke logging to steal login credentials. Under the Collection tactic, the analysis identified Input Capture: Keylogging (T1056.001) with high confidence (90%), supported by evidence indicating pureRAT malware enabled keystroke logging, Screen Capture (T1113) with moderate to high confidence (75%), supported by evidence indicating pureRAT enabled surveillance via webcam/microphone (implies screen capture capability), and Data from Local System (T1005) with moderate to high confidence (85%), supported by evidence indicating malware enabled remote access to map hotel customer databases. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), with evidence including pureRAT malware exfiltrated login credentials and payment card data, and credentials sold on dark web forums and Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with moderate to high confidence (70%), supported by evidence indicating fraudulent wire transactions suggest abuse of financial protocols for exfiltration. Under the Defense Evasion tactic, the analysis identified Obfuscated Files or Information: Indicator Removal from Tools (T1027.005) with moderate to high confidence (75%), supported by evidence indicating fake reCAPTCHA challenge to bypass automated detection and Valid Accounts: Local Accounts (T1078.003) with moderate to high confidence (80%), supported by evidence indicating real reservation details used to enhance credibility of phishing (abuse of legitimate account data). Under the Lateral Movement tactic, the analysis identified Account Discovery: Domain Account (T1087.002) with moderate to high confidence (85%), supported by evidence indicating malware enabled remote access to map hotel customer databases (implies internal account enumeration). Under the Impact tactic, the analysis identified Malicious Services: Data Manipulation (T1659) with moderate to high confidence (80%), supported by evidence indicating fraudulent wire transactions executed using stolen data and Data Encrypted for Impact (T1486) with moderate confidence (60%), supported by evidence indicating implied by financial and reputational damage (though no explicit ransomware mentioned). Under the Persistence tactic, the analysis identified Server Software Component: Web Shell (T1505.003) with moderate to high confidence (70%), supported by evidence indicating pureRAT malware provided remote access (suggests persistent backdoor). Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with high confidence (90%), supported by evidence indicating pureRAT malware used for remote access (likely HTTP/HTTPS C2). These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.