Phishing remains one of the most consistent cyber threats faced by organizations worldwide. Attackers continuously refine their strategies to steal credentials and sensitive data, and a recently uncovered phishing framework shows how far these tactics have evolved.
Security analysts discovered a multi layered phishing system designed to impersonate Aruba S.p.A, an Italian IT and web services provider that supports more than 5.4 million customers. By mimicking such a widely trusted service, the attackers aimed to compromise business critical assets such as domain settings, hosted websites, and enterprise email accounts.
Deceptive Emails and Realistic Login Pages
The operation begins with spear phishing messages that warn recipients about expired services or unsuccessful payments. These emails include links leading to counterfeit login portals that closely resemble the official Aruba webmail page.
A noteworthy tactic used by the attackers is the inclusion of pre filled login URLs that automatically insert the victim’s email address into the form. This subtle detail makes the fake page appear authentic and increases the likelihood of successful credential theft.
Group IB researchers identified this phishing framework during routine monitoring of cybercriminal platforms. It operates as a full service phishing kit that automates credential collection, hides attacker infrastructure, and avoids automated detection.
Unlike simple phishing pages, the system implements CAPTCHA filters to block scanners and uses Telegram bots to instantly forward stolen information to the attackers.
Four Stage Credential Theft Process
The attack progresses through four coordinated stages. These stages gradually extract login credentials, payment card data, and one time passwords used in banking transactions.
Stage One: Anti Bot CAPTCHA Filter
Victims first encounter a CAPTCHA challenge which ensures that automated crawlers and security scanners cannot access the phishing pages.
Stage Two: Credential Harvesting
After passing the CAPTCHA, users reach a fake Aruba login page. When they enter their credentials, the information is immediately sent to the attackers.
Stage Three: Fake Payment Request
Next, a fraudulent payment page appears, requesting credit card information for a small renewal fee, usually around four euros and thirty seven cents.
Stage Four: OTP Capture Page
Victims are then shown a fake 3D Secure verification page that captures the one time password sent by their bank. This code allows attackers to complete unauthorized financial transactions in real time.
Throughout the attack, every submitted detail is exfiltrated to Telegram channels configured by the operators. After the process is complete, the victim is redirected to the legitimate Aruba website to avoid suspicion.
A Growing Trend in Phishing as a Service
This operation demonstrates the rapid expansion of phishing as a service platforms. These ready made kits enable cybercriminals to launch highly efficient and scalable credential theft campaigns even without deep technical expertise.
