Phishing campaign imitates Italian web host to steal info

A sophisticated phishing kit is targeting Aruba S.p.A. customers with fake login and payment pages to steal credentials and credit card details.

What happened

According to The Record, researchers have uncovered a phishing campaign impersonating Aruba S.p.A., one of Italy’s largest web hosting and IT service providers. The operation targets Aruba customers with convincing fake emails and websites designed to steal sensitive login and payment information.

Victims receive emails warning of expiring services or failed payments, leading them to a fake Aruba login page that pre-fills their email addresses. After entering credentials, victims are redirected to the real Aruba site, unaware that their information has already been sent to the attackers.

Going deeper

The phishing kit used in the campaign mimics both Aruba’s login and payment interfaces. It incorporates techniques like CAPTCHA filtering to avoid detection by automated scanners and uses Telegram bots to immediately forward stolen data to attackers. The kit also includes a secondary fake payment page requesting a small charge (around $5), which is used to collect full credit card details and one-time passcodes.

Aruba serves over 5.4 million customers and operates several major data centers across Italy and abroad. According to researchers, compromising a single Aruba account can give attackers access to hosted websites, domain settings, and business email environments, making this type of phishing campaign especially damaging.

Telegram was identified as the command and control channel for both coordination and real-time exfiltration of data, as well as for promoting the phishing kit to other cybercriminals.

What was said

“Such a target offers significant payoff: compromising a single account can expose critical business assets, from hosted websites to domain controls and email environments,” said researchers. They also described Telegram as “the central nervous system for this entire operation.”

Researchers have not attributed the campaign to a known threat actor. Aruba has not yet responded to requests for comment, and the total number of affected users or financial losses remains unknown.

The big picture

The Aruba campaign shows how phishing kits now recreate full-service portals, merging login impersonation with realistic payment flows to steal credentials and card data in one step. With Telegram used for instant exfiltration, one compromised hosting account can expose websites, domains, and business email environments. Phishing remains one of the most damaging entry points for these attacks; Paubox found that over 70 percent of healthcare data breaches in 2024 began with a phishing email.

Paubox Inbound Email Security gives organizations a way to stop these threats before any credentials are entered. Its generative AI evaluates sender behavior and message context to catch deceptive service alerts and payment notices that imitate trusted providers, helping prevent high-fidelity scams from reaching users at all.

FAQs

Why do phishing kits now use CAPTCHA and Telegram?

CAPTCHA helps phishing pages avoid detection by automated security crawlers, while Telegram offers attackers encrypted, real-time data collection and a platform to coordinate and sell their kits.

How can users verify whether a service alert is legitimate?

Always access service portals directly by typing the URL into your browser; never click on links in unsolicited emails. You can also check your account status from the official dashboard instead of trusting alerts.

What are the risks if a hosting account is compromised?

Attackers can gain control of websites, emails, DNS records, and even inject malware into hosted content. This can impact the business and its customers.

How do prefilled email fields increase phishing success?

Prefilling known data (like an email address) builds credibility and reduces suspicion. Victims are more likely to trust a page that appears customized to them.

Can small payment requests in phishing scams cause large losses?

Yes. Even small transactions can be used to capture credit card details and one-time passwords, which can then be used to authorize larger fraudulent charges.