Phishing-as-a-Service Uncovered: Automated Kit Impersonates Aruba S.p.A. to Steal Credentials and Credit Cards

A new report from Group-IB exposes a highly automated phishing framework engineered to impersonate Italian IT and web-services giant Aruba S.p.A., a company serving more than 5.4 million customers and deeply embedded in Italy’s digital infrastructure.

The investigation reveals how modern phishing operations have evolved into full-fledged commercial ecosystems. Group-IB notes that cybercriminals commonly “impersonate reputable IT companies in phishing campaigns, exploiting the trust these brands have built.”

The analyzed phishing kit embodies this shift. Rather than a static clone site, it is a multi-stage, automated platform designed for stealth, scalability, and maximum data extraction. As the report states, the kit “was engineered to impersonate the Italian IT and web services provider Aruba S.p.A.” and is capable of compromising assets ranging from hosted websites to domain controls and email environments.

The toolkit reflects the rise of phishing-as-a-service (PhaaS), where ready-made attack kits are developed, sold, or even supported like legitimate software. Group-IB emphasizes that these offerings “are built, sold, and even supported like legitimate software products,” lowering the barrier for unskilled attackers and allowing large-scale operations.

The researchers warn that phishing has now become “a sustained, automated supply chain”, and defenders must understand they are no longer fighting isolated actors but a criminal ecosystem that behaves like an agile enterprise.

Victims are drawn into the trap through convincing spear-phishing emails crafted to generate urgency. Group-IB notes that cybercriminals sent lures to Aruba customers, warning of expiring services or failed payments.

The phishing pages themselves are meticulously built replicas of Aruba.it’s login portal, complete with pre-filled login URLs containing the victim’s email address. When a user clicks the link, the fake page “automatically populates the email field… creating a convincing illusion of legitimacy.”

Once credentials are captured, victims are redirected to the legitimate Aruba website to suppress suspicion.

Group-IB uncovered a sophisticated four-stage phishing workflow, each step engineered to increase conversion and evade detection:

Stage 1 — CAPTCHA-Based Evasion

The attack begins with a CAPTCHA challenge designed to “weed out analysis by security bots and scanners.” Only human visitors get access to the actual phishing content.

Stage 2 — Credential Theft

Victims are presented with a high-fidelity replica of the Aruba login page. Their username and password are “immediately exfiltrated to the attacker.”

Stage 3 — Financial Data Harvesting

Victims then encounter a fake payment renewal page requesting a small fee (e.g., €4.37). The page is deliberately crafted to steal full credit-card details: “name, card number, expiration date, and CVV.”

Stage 4 — OTP / 3D Secure Interception

Finally, the victim is shown a fraudulent OTP verification page, capturing the one-time password sent by their bank. This gives attackers immediate capability to perform real-time fraudulent transactions.

Telegram serves as the backbone of the operation. Group-IB highlights that Telegram functions as “the central nervous system for this entire operation”, providing multiple roles:

• Distribution and promotion of phishing kits
• Community support and collaboration
• Real-time exfiltration of stolen credentials

Stolen information is sent to attackers via multiple Telegram channels, with the report noting that “the primary method is a direct message to a pre-configured Telegram chat,” while additional backup channels ensure no data is lost.

In some cases, the developer even distributed the kit for free, accelerating its spread through criminal communities.

Group-IB concludes that the analyzed kit “exemplifies the industrialization of online deception.” What once required specialized technical skill can now be executed by almost anyone using modular, automated, and subscription-based frameworks supported by active criminal communities.

Related Posts:

• Bologna FC Suffers Major Data Breach in Ransomware Attack
• HPE Aruba Networking Addresses Severe Vulnerabilities in Access Points
• CVSS 9.8 Vulnerabilities Expose Aruba Access Points to RCE: HPE Urges Immediate Action
• Massive Android SMS Stealer Campaign Uncovered: Over 100,000 Malicious Apps Targeting Global Users