- Cybercriminals spoofed Aruba using a stealthy, automated phishing framework with CAPTCHA and Telegram bots
- Phishing pages mimicked Aruba’s webmail portal, stealing credentials via fake service alerts
- Aruba’s large user base made it a high-value target for industrial-scale credential theft
Security researchers Group-IB have published details of a new scam targeting Aruba users which turned out to be a part of a “sophisticated phishing framework”.
The team found cybercriminals had created a “fully automated, multi-stage platform” providing both efficiency and stealth, employing CAPTCHA filtering to evade security scans, pre-fills victim data to increase credibility, and uses Telegram bots to exfiltrate stolen credentials and payment information.
The goal of the phishing kit is to achieve “industrial-scale credential theft”, Group-IB said, adding that it “drastically lowers” the technical barrier to entry, and enables less skilled actors to launch convincing campaigns at scale, and virtually overnight.
Targeting Aruba
The modus operandi here is rather usual – the attack starts with a carefully crafted email, warning users about an expiring service or a failed payment. These themes were chosen because Aruba itself often warns its customers about them, albeit without the dramatic sense of urgency the phishing emails come with.
The messages come with a link to “one of many” phishing pages that “meticulously mimic” the official Aruba.it webmail login portal, Group-IB added. Victims that do not spot the ruse and try to log in end up relaying their credentials to the attackers via Telegram, who can later either use it, or sell it on the dark web.
Aruba was chosen because it is “deeply embedded in Italy’s digital infrastructure,” Group-IB stressed, adding that it is currently serving more than 5.4 million customers.
“Such a target offers significant payoff: compromising a single account can expose critical business assets, from hosted websites to domain controls and email environments,” the researchers concluded.
Defending against phishing attacks remains simple – think before you click, keep your software updated, and run a strong endpoint protection solution.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
