A sophisticated phishing kit is targeting Aruba S.p.A. customers with fake login and payment pages to steal credentials and credit card details.
According to The Record, researchers have uncovered a phishing campaign impersonating Aruba S.p.A., one of Italy’s largest web hosting and IT service providers. The operation targets Aruba customers with convincing fake emails and websites designed to steal sensitive login and payment information.
Victims receive emails warning of expiring services or failed payments, leading them to a fake Aruba login page that pre-fills their email addresses. After entering credentials, victims are redirected to the real Aruba site, unaware that their information has already been sent to the attackers.
The phishing kit used in the campaign mimics both Aruba’s login and payment interfaces. It incorporates techniques like CAPTCHA filtering to avoid detection by automated scanners and uses Telegram bots to immediately forward stolen data to attackers. The kit also includes a secondary fake payment page requesting a small charge (around $5), which is used to collect full credit card details and one-time passcodes.
Aruba serves over 5.4 million customers and operates several major data centers across Italy and abroad. According to researchers, compromising a single Aruba account can give attackers access to hosted websites, domain settings, and business email environments, making this type of phishing campaign especially damaging.
Telegram was identified as the command and control channel for both coordination and real-time exfiltration of data, as well as for promoting the phishing kit to other cybercriminals.
“Such a target offers significant payoff: compromising a single account can expose critical business assets, from hosted websites to domain controls and email environments,” said researchers. They also described Telegram as “the central nervous system for this entire operation.”
Researchers have not attributed the campaign to a known threat actor. Aruba has not yet responded to requests for comment, and the total number of affected users or financial losses remains unknown.
The Aruba campaign shows how phishing kits now recreate full-service portals, merging login impersonation with realistic payment flows to steal credentials and card data in one step. With Telegram used for instant exfiltration, one compromised hosting account can expose websites, domains, and business email environments. Phishing remains one of the most damaging entry points for these attacks; Paubox found that over 70 percent of healthcare data breaches in 2024 began with a phishing email.
Paubox Inbound Email Security gives organizations a way to stop these threats before any credentials are entered. Its generative AI evaluates sender behavior and message context to catch deceptive service alerts and payment notices that imitate trusted providers, helping prevent high-fidelity scams from reaching users at all.
CAPTCHA helps phishing pages avoid detection by automated security crawlers, while Telegram offers attackers encrypted, real-time data collection and a platform to coordinate and sell their kits.
Always access service portals directly by typing the URL into your browser; never click on links in unsolicited emails. You can also check your account status from the official dashboard instead of trusting alerts.
Attackers can gain control of websites, emails, DNS records, and even inject malware into hosted content. This can impact the business and its customers.
Prefilling known data (like an email address) builds credibility and reduces suspicion. Victims are more likely to trust a page that appears customized to them.
Yes. Even small transactions can be used to capture credit card details and one-time passwords, which can then be used to authorize larger fraudulent charges.