- Cybercriminals spoofed Aruba using a stealthy, automated phishing framework with CAPTCHA and Telegram bots
- Phishing sites impersonated Aruba’s webmail portal and stole credentials via fake service alerts
- Aruba’s large user base made it a valuable target for industrial-scale credential theft
Security researchers Group-IB have published details of a new scam targeting Aruba users, which turned out to be part of a “sophisticated phishing framework”.
The team found that cybercriminals had created a “fully automated, multi-stage platform” that provides both efficiency and stealth, using CAPTCHA filtering to avoid security scans, pre-filling victim data to increase credibility, and using Telegram bots to exfiltrate stolen credentials and payment information.
The goal of the phishing kit is to achieve “industrial-scale credential theft,” Group-IB said, adding that it “drastically lowers” the technical barrier to entry and enables less skilled actors to launch persuasive campaigns at scale and virtually overnight.
Targeted Aruba
The modus operandi here is quite usual – the attack starts with a carefully crafted email warning users about an expiring service or a failed payment. These themes were chosen because Aruba itself often warns its customers about them, albeit without the dramatic sense of urgency that phishing emails bring.
The messages come with a link to “one of many” phishing sites that “carefully mimic” the official Aruba.it webmail login portal, Group-IB added. Victims who don’t discover the list and try to log in end up forwarding their credentials to the attackers via Telegram, who can later either use it or sell it on the dark web.
Aruba was chosen because it is “deeply embedded in Italy’s digital infrastructure,” Group-IB emphasized, adding that it currently serves more than 5.4 million customers.
“Such a target offers a significant payoff: compromising a single account can expose critical business assets, from hosted websites to domain control and email environments,” the researchers concluded.
Defense against phishing attacks remains simple – think before you click, keep your software up to date and run a strong endpoint protection solution.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
