Researchers have uncovered a large-scale phishing campaign targeting customers of one of Italy’s largest web hosting and IT service providers in an effort to steal sensitive data and payment information.
The operation used a sophisticated phishing kit designed to impersonate the login and payment pages of Aruba S.p.A., stealing customer credentials and credit card details. Aruba operates several major data centers in Italy and abroad and serves more than 5.4 million customers.
“Such a target offers significant payoff: compromising a single account can expose critical business assets, from hosted websites to domain controls and email environments,” researchers at cybersecurity firm Group-IB said in a report published Thursday.
The phishing kit — sold as a service to other cybercriminals — goes far beyond a simple fake website. It includes CAPTCHA filtering to evade security scanners, pre-fills user data to appear more legitimate and uses Telegram bots to instantly exfiltrate stolen information.
“Telegram is the central nervous system for this entire operation,” the researchers said, adding that they identified multiple Telegram chats used to coordinate the Aruba campaign and promote phishing kits to other criminals.
Victims typically receive an email claiming their Aruba service is about to expire or that a payment has failed. The message directs them to a fake Aruba login page, where their email address is preloaded for credibility. Once credentials are entered, they are sent directly to the attackers while the victim is redirected to the legitimate Aruba website.
The attackers also use a fake payment page requesting a small fee — typically around $5 — to trick users into entering their credit card information and one-time password, giving the criminals all the details needed to authorize fraudulent transactions in real time.
Group-IB has not attributed the operation to any specific threat actor. Aruba did not immediately respond to a request for comment. It remains unclear how many users were affected or how much money the attackers stole.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.
