Phishing campaign targets customers of major Italian web hosting provider

Steven

Phishing campaign targets customers of major Italian web hosting provider

Summary

Researchers at Group-IB uncovered a large-scale phishing campaign impersonating Aruba S.p.A., a major Italian web hosting and IT services provider that serves more than 5.4 million customers. The operation used a sophisticated phishing kit that mimics Aruba’s login and payment pages to harvest credentials and credit-card details, and it exfiltrates data in real time using Telegram bots.

The kit — sold as a service to other criminals — includes CAPTCHA filtering to evade scanners, pre-fills user data to appear legitimate, and sends stolen information to attackers while redirecting victims to the real Aruba site. Attackers also deploy a fake payment page requesting a small fee (around $5) and one-time passwords to complete fraudulent transactions.

Key Points

  • Target: Aruba S.p.A., operating major data centres and serving over 5.4 million customers.
  • The phishing kit is offered as-a-service, enabling multiple criminals to run similar campaigns.
  • Kit capabilities include CAPTCHA bypass, pre-filled user fields and Telegram bots for instant exfiltration.
  • Typical attack flow: expiry/payment-failure email → fake login with preloaded email → credentials captured → victim redirected to legitimate site.
  • Secondary fake payment page requests a small fee plus card details and OTP, allowing real-time fraud authorisation.
  • Group-IB has not attributed the campaign to a specific actor; Aruba had not commented and the overall impact remains unclear.

Why should I read this?

Quick and blunt: if you use Aruba or manage hosted sites/domains in Italy, pay attention. This scam is polished, automated and uses Telegram for fast theft — a single compromised account can cascade into bigger problems. Read it so you know what red flags to spot and how to warn users before it bites you.

Context and relevance

This case illustrates the growing threat of phishing-as-a-service and the value criminals place on attacking hosting providers. It reflects a broader trend of automated, hard-to-detect phishing operations that combine anti-detection techniques with instant data collection via messaging platforms. Organisations should bolster user awareness, enforce robust multi-factor authentication (preferably phishing-resistant methods), and monitor for suspicious login and payment activity.

Source

Source: https://therecord.media/phishing-campaign-targets-italian-web-hosting-customers