- Cybercriminals spoofed Aruba using a hidden, automated phishing scheme involving CAPTCHA and Telegram bots.
- Phishing sites impersonate Aruba’s webmail portal and steal login credentials via fake service alerts.
- Aruba’s large user base has made it a valuable target for industrial-scale identity theft.
Security researchers at Group IB did just that is published Details of a new scam targeting users in Aruba that appeared to be part of an “advanced phishing scheme.”
The team found that cybercriminals had created a “fully automated multi-layered platform” that provides efficiency and stealth by using CAPTCHA filtering to bypass security scans, pre-filling victim details to increase credibility, and using Telegram bots to exfiltrate stolen credentials and payment information.
The goal of the phishing package is to achieve “reference theft on an industrial scale,” Group-IB said, adding that it “significantly reduces technical barriers to entry” and allows less experienced actors to launch persuasive campaigns at scale and virtually overnight.
The destination is Aruba
The approach in this case is fairly standard: the attack begins with a carefully crafted email informing users of service expiration or non-payment. These topics were chosen because Aruba itself often warns its customers about them, but without the sense of dramatic urgency that phishing emails provide.
The messages contain a link to “one of many” phishing sites that “closely mimic the official Aruba.it webmail portal,” Group-IB added. Victims who don’t recognize the hack and try to log in end up giving their credentials to attackers via Telegram, who can later use them or sell them on the dark web.
Aruba was chosen because the company is “deeply rooted in Italy’s digital infrastructure,” Group-IB noted, adding that the company currently serves more than 5.4 million customers.
“Such a target offers significant benefits: Compromising a single account can expose critical assets, from hosting websites to domain controllers and email environments,” the researchers concluded.
Protecting yourself from phishing attacks is simple: think before you click, keep your software up-to-date and maintain a robust endpoint protection solution.