Full Report
The operation used a sophisticated phishing kit designed to impersonate the login and payment pages of Aruba S.p.A., stealing customer credentials and credit card details.
Analysis Summary
# Incident Report: Sophisticated Phishing Campaign Targeting Aruba S.p.A. Customers
## Executive Summary
A large-scale, sophisticated phishing campaign targeted customers of Aruba S.p.A., a major Italian web hosting provider, utilizing a dedicated phishing kit to harvest credentials and payment information. The attack leveraged social engineering via emails regarding service expiration or payment failure, leading victims through multi-stage fake login and payment pages that bypassed basic security measures. The immediate impact revolves around customer data compromise, though the exact scope is still undetermined.
## Incident Details
- Discovery Date: November 13th, 2025 (Date of public report/research findings)
- Incident Date: Ongoing/Recent, as the campaign was actively being uncovered by researchers.
- Affected Organization: Aruba S.p.A.
- Sector: Web Hosting, IT Services (Technology)
- Geography: Italy
## Timeline of Events
### Initial Access
- Date/Time: Unknown (Ongoing throughout the campaign duration)
- Vector: Email (Phishing)
- Details: Victims received emails falsely claiming their Aruba service was about to expire or that a payment had failed.
### Lateral Movement
- Not explicitly detailed in the context of network penetration; the attack focused on client-side credential harvesting rather than internal network compromise.
### Data Exfiltration/Impact
- Customer login credentials (email addresses and passwords).
- Credit card details, including validation data (small fee payment attempt).
- Stolen information was **instantly exfiltrated** via **Telegram bots**.
### Detection & Response
- **Detection:** Identified by cybersecurity firm Group-IB researchers through analysis of the campaign infrastructure, which included dedicated Telegram chats coordinating the activity.
- **Response:** Group-IB published a report detailing the threat actor's infrastructure and tactics. No specific response actions by Aruba were detailed in the provided summary.
## Attack Methodology
- **Initial Access:** Spear/Bulk Phishing via emails directing users to malicious landing pages.
- **Persistence:** Use of a high-sophistication phishing kit sold as a service to other cybercriminals. Coordination handled centrally via Telegram bots/chats.
- **Privilege Escalation:** Not applicable in the traditional sense; focused on credential theft.
- **Defense Evasion:**
- Included **CAPTCHA filtering** to evade automated security scanners.
- Pre-filled user data to enhance the legitimacy of the phishing pages.
- Used Telegram as the core command-and-control/exfiltration mechanism.
- **Credential Access:** Interception of credentials entered on the fake login page.
- **Discovery:** Reconnaissance implied through the use of a publicly available, targeted phishing kit focused on Aruba's infrastructure.
- **Lateral Movement:** Not specified.
- **Collection:** Harvesting of login credentials followed by harvesting of payment data (CC number + OTP/CVV via a fake payment page).
- **Exfiltration:** Real-time, instant exfiltration of data using **Telegram bots**.
- **Impact:** Financial fraud potential via stolen payment data; compromise of critical business assets managed by Aruba clients (hosted websites, domains, email environments).
## Impact Assessment
- **Financial:** Potential for direct fraudulent transactions facilitated by stolen payment data; costs associated with customer remediation and reputation management. (Amount stolen is unclear).
- **Data Breach:** Customer credentials (email/password) and sensitive payment card details (including OTP capability).
- **Operational:** High potential operational impact for affected customers due to potential access loss to hosted sites, domains, and email environments.
- **Reputational:** Negative impact on Aruba S.p.A.'s standing as a major service provider due to the widespread and successful nature of the impersonation campaign.
## Indicators of Compromise
- **Network indicators:** Details on malicious domains hosting the phishing kit, command and control infrastructure (Telegram chat IDs/APIs) - *Defanged for summary*.
- **File indicators:** N/A (This was a web-based attack, not file malware).
- **Behavioral indicators:** User interaction with CAPTCHA-protected, pre-filled login/payment forms impersonating Aruba S.p.A.
## Response Actions
- **Containment measures:** (Not detailed for the targeted organization, but typically would involve taking down known malicious domains/infrastructure).
- **Eradication steps:** (Not detailed).
- **Recovery actions:** (Not detailed, but likely involves customer password resets and communication regarding compromised payment details).
## Lessons Learned
- Sophisticated, multi-staged phishing kits (sold as a service) represent a high-level, prevalent threat that can intelligently bypass common defenses (e.g., CAPTCHA filtering).
- The use of communication platforms like Telegram constitutes a reliable, fast, and low-signature method for threat actors to facilitate C2 and exfiltration.
- Compromise of web hosting providers allows attackers significant leverage over numerous downstream business assets.
## Recommendations
- Implement Multi-Factor Authentication (MFA) universally for all customer accounts, especially for high-value services like domain control and payment information access.
- Enhance real-time monitoring for domain look-alikes and SSL certificate usage mimicking the organization's infrastructure.
- Conduct mandatory, highly realistic phishing simulations that test users against obfuscation techniques, including CAPTCHA triggers and fake payment portals.
- Educate customers specifically about OTP/2FA vulnerabilities when coupled with simultaneous web session hijacking (as implied by the real-time OTP request).