Phishing campaign targets customers of major Italian web hosting provider

Researchers have uncovered a large-scale phishing campaign targeting customers of one of Italy’s largest web hosting and IT service providers in an effort to steal sensitive data and payment information.

The operation used a sophisticated phishing kit designed to impersonate the login and payment pages of Aruba S.p.A., stealing customer credentials and credit card details. Aruba operates several major data centers in Italy and abroad and serves more than 5.4 million customers.

“Such a target offers significant payoff: compromising a single account can expose critical business assets, from hosted websites to domain controls and email environments,” researchers at cybersecurity firm Group-IB said in a report published Thursday.

The phishing kit — sold as a service to other cybercriminals — goes far beyond a simple fake website. It includes CAPTCHA filtering to evade security scanners, pre-fills user data to appear more legitimate and uses Telegram bots to instantly exfiltrate stolen information.

“Telegram is the central nervous system for this entire operation,” the researchers said, adding that they identified multiple Telegram chats used to coordinate the Aruba campaign and promote phishing kits to other criminals.

Victims typically receive an email claiming their Aruba service is about to expire or that a payment has failed. The message directs them to a fake Aruba login page, where their email address is preloaded for credibility. Once credentials are entered, they are sent directly to the attackers while the victim is redirected to the legitimate Aruba website.

The attackers also use a fake payment page requesting a small fee — typically around $5 — to trick users into entering their credit card information and one-time password, giving the criminals all the details needed to authorize fraudulent transactions in real time.

Group-IB has not attributed the operation to any specific threat actor. Aruba did not immediately respond to a request for comment. It remains unclear how many users were affected or how much money the attackers stole.