Booking Scam Alert, Fortinet LockBit Attack, Abu Dhabi Guidelines

The support tickets we get after a spoofing incident all start the same way: ‘we didn’t know someone was sending email from our domain,’ says Vasile Diaconu, Operations Lead at DuoCircle. DMARC reporting would have caught it weeks earlier. The cost of monitoring is nothing compared to the cost of a successful impersonation attack.

_According to the FBI’s 2022 Internet Crime Report (IC3), 300,497 US-based victims reported phishing incidents in a single year, and Business Email Compromise (BEC) caused more than $2.7 billion in direct losses. DMARC Report

Booking Scam Alert, Fortinet LockBit Attack, Abu Dhabi Guidelines

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-22834">
						<source src="https://media.mailhop.org/dmarcreport/images/2025/03/Booking-Scam-Alert-Fortinet-LockBit-Attack-Abu-Dhabi-Guidelines.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H2M31S">2:31</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-22834" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-22834" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-22834" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-22834" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/booking-scam-alert-fortinet-lockbit-attack-abu-dhabi-guidelines/&t=Booking Scam Alert, Fortinet LockBit Attack, Abu Dhabi Guidelines" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/booking-scam-alert-fortinet-lockbit-attack-abu-dhabi-guidelines/&url=Booking Scam Alert, Fortinet LockBit Attack, Abu Dhabi Guidelines" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="https://media.mailhop.org/dmarcreport/images/2025/03/Booking-Scam-Alert-Fortinet-LockBit-Attack-Abu-Dhabi-Guidelines.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/booking-scam-alert-fortinet-lockbit-attack-abu-dhabi-guidelines/" class="input-link input-link-22834" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-22834" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

/*! This file is auto-generated */ ’ title=“Embed Code” class=“input-embed input-embed-22834” readonly/>

					<button class="copy-embed copy-embed-22834" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

It feels like we just welcomed 2025 yesterday! Yet here we are again, meeting you all in the third week of March. As time flies by, threat actors are trying their best to keep up with the latest technology. Each sophisticated cyberattack is bringing them closer to your network and hard-earned money. If this sounds concerning, here’s what you need to do.

Start with educating yourself about the cybersecurity ecosystem. From security risks to defense mechanisms – study everything closely. And to take that first step towards awareness, start with this weekly news snippet.

DMARC, SPF, and DKIM form a crucial triad in the cybersecurity ecosystem, working together to authenticate emails and defend against phishing, spoofing, and domain abuse.

This week, we will talk about how a threat actor impersonated Booking.com. Our focus will also be on Abu Dhabi’s newly launched set of cybersecurity policy guidelines for its health infrastructure. Lastly, we will discuss the Fortinet users who fell prey to the LockBit ransomware attack.

So, should we get started?

Threat actor successfully poses as Booking.com to scam innocent travelers!

Phishing is one of the most notorious cyberattacking tactics. There are different types of phishing attacks that aim at stealing sensitive user data through malicious emails and messages. A new variant, named ClickFix, is doing the rounds, which enables a threat actor to gain easy access to a victim’s data through high-end social engineering techniques.

Microsoft recently published a report that mentioned Storm-1865, a notorious threat actor group. The group was using ClickFix to target the hospitality industry._ It operates across a broad geographical belt, which includes North America, Oceania, South and South East Asia and Northern, Southern, Eastern, and Western Europe_. Storm-1865 prefers impersonating the popular accommodation booking platform**– Booking.com. Microsoft believes that this threat actor group has been executing this attack since December 2024.

The **members of Storm-1865 send out malicious emails that contain some kind of CTA for the recipients, like an account verification process or any request. These emails either come infested with malicious URLs or PDFs, downloading which the users will be asked to solve a captcha. These emails closely impersonate Booking.com to avoid any kind of suspicion. The verification process requires the victim to use specific keyboard shortcuts and paste certain commands to the clipboard. The victim does everything as instructed, unaware of the fact that these will download a malicious payload.

Unaware victims see this campaign as additional security checks by Booking.com and find it to be a secure and safe platform. That increases their risk of falling prey to ClickFix.

Cybersecurity experts have urged users to stay vigilant and go through such emails closely. Practicing cyber hygiene, such as looking for typos, connecting with the legitimate booking platform directly, and double checking the email address of the sender, will help minimize the risk of ClickFix phishing attacks.

Fortinet users targeted by LockBit Ransomware gang connection!

Threat actor Mora _001 is responsible for exploiting two Fortinet vulnerabilities (CVE-2025-24472 and CVE-2024-55591) with the ultimate purpose of deploying SuperBlack ransomware. _This threat actor uses Russian language artifacts as well as other characteristics. The cyberattacker has been exploiting these two vulnerabilities within FortiProxy and FortiOS so that they can gain unauthorized super-administrator access to Fortinet products.

Now, researchers have tracked an operation signature, which makes them believe that Mora001 has close connections with the LockBit ransomware group.

For context, LockBit is a notorious ransomware gang that operates globally. Back in February, the international law enforcement team disrupted its operations and arrested multiple gang members around the world. This was possible because of its own leak site.

Experts are urging organizations to take immediate preventive measures against Mora_001. They believe that the **US, India, and Brazil are the three topmost targets for this threat actor, given that these three nations have vulnerable Fortinet firewalls.

Organizations must focus on segmenting networks. Next, they can come up with an extra layer of security controls which will further strengthen the security mechanism. Other than these two crucial tactics, organizations should also opt for regular review of VPN users, examine all the **automation settings carefully, limit management access, and so on.

Abu Dhabi issues cybersecurity guidelines to assure seamless conformance by the healthcare sector!

Abu Dhabi has recently issued cybersecurity guidelines to ensure that the healthcare sector across the region sticks to the same. This move comes as a consequence of years of cyber negligence across the healthcare industry in the Middle East region. The emirate has released its second version of the Abu Dhabi Healthcare Information and Cyber Security (ADHICS) strategy. This lays down clear instructions for medical device manufacturers, insurance companies, hospitals, and other related infrastructures.

The healthcare sector is **extremely vulnerable because of its highly sensitive data sets that contain patients’ health records as well as financial transactions .

Another reason why threat actors predominantly target the healthcare sector is because of the critical nature of the day-to-day operations. **Healthcare centers cannot delay their crucial operations for long and are more likely to oblige to the ransom demands.