Large-scale phishing campaign poses new risk to Aruba users, investigators warn
A newly uncovered phishing operation has started circulating across Italy, and researchers say it is one of the more coordinated efforts they have seen recently. The campaign focuses on customers of Aruba, a major hosting and IT services provider with millions of users, and the attackers appear to be working with a toolkit designed to mimic the company’s login and billing pages down to the smallest detail.
Researchers at Group-IB, who examined the operation, noted that the attackers seemed intent on reaching businesses that rely heavily on Aruba’s infrastructure. One researcher described the motivation quite plainly, saying that a single compromised account could place websites, domain controls, and company email at risk all at once. That kind of access makes the target “a significant payoff,” according to their report.
What sets this campaign apart is not only the accuracy of the impersonation but the amount of automation behind it. The phishing kit includes CAPTCHA filtering to help it slip past security checks, and it even preloads the victim’s email address to make the fake page look more convincing. The attackers route the stolen data through Telegram in real time, and one researcher called the platform “the central nervous system for this entire operation.”
Most victims arrive at the fake pages after receiving messages claiming their service is about to expire or that a recent payment failed. After users enter their credentials, the attackers quietly redirect them to the legitimate Aruba site, and many never notice what happened.
The attackers then push a small payment request of around five dollars, which encourages victims to enter their card details and a one-time password. That final step gives the criminals everything they need for immediate fraudulent charges.
Group-IB has not linked the activity to any known group, and Aruba has not commented publicly. For now, researchers say they cannot determine the full scale of the operation, which leaves open questions about how much money the attackers took and how many customers they caught off guard.
