A sophisticated multi-stage phishing kit leveraging Telegram for credential harvesting and evading automated detection has been identified targeting users of Aruba S.p.A., a prominent Italian IT and web services provider. This advanced malware operation underscores the evolving tactics of cybercriminals aiming to compromise sensitive account information and financial data from a broad customer base. The attackers exploit the trust users place in Aruba’s services, which manage critical digital infrastructure for over 5.4 million customers across Italy.
Security researchers from Group-IB recently uncovered this potent phishing framework while monitoring underground cybercrime activities. The kit is not merely a collection of fake web pages but an automated platform engineered for stealth and efficiency. It employs multiple layers of defense, including CAPTCHA filtering to block bots and security scanners, and utilizes Telegram bots for the near-instantaneous exfiltration of stolen credentials directly to attackers.
Multi-Stage Credential Harvesting Process
The phishing campaign is meticulously designed to unfold over four distinct stages, systematically extracting user credentials and subsequently financial information. The initial phase involves spear-phishing emails designed to create a sense of urgency, often warning recipients about expiring services or failed payment attempts. These emails steer recipients toward deceptive login pages that bear striking resemblance to the legitimate Aruba.it webmail portal.
A key element of this operation’s sophistication lies in the use of pre-filled login URLs. These URLs automatically populate the victim’s email address into the login form presented on the fake page. This subtle detail, according to Group-IB, enhances the perceived legitimacy of the page, making victims less suspicious and more inclined to enter their passwords.
Upon reaching the fake login page, victims are first presented with a CAPTCHA challenge. This serves as a crucial anti-bot filter, ensuring that only human targets proceed further into the attack chain. Once past this initial hurdle, users are prompted to enter their username and password, which are then immediately transmitted to the attacker’s server.
Following the harvesting of login credentials, the attack progresses to a simulated payment page. Here, victims are requested to provide credit card details, purportedly for a small service renewal fee, typically around €4.37. This stage aims to capture financial information that can be directly monetized by the cybercriminals.
After the submission of credit card information, the victim is presented with a fraudulent 3D Secure verification page. This critical final step captures the one-time password (OTP) sent by the victim’s bank, granting the attackers the necessary authorization codes to conduct real-time fraudulent transactions. This completes the credential harvesting process, leaving the victim vulnerable to financial theft.
Throughout this multi-stage process, all exfiltrated data is sent via Telegram chats. These chats function as active exfiltration channels, delivering instant notifications to the attackers as soon as data is captured. To further obscure the attack and prevent immediate suspicion, victims are ultimately redirected to the legitimate Aruba website, often leaving them unaware that their sensitive information has been compromised.
This phishing kit exemplifies the growing trend of “phishing-as-a-service,” where pre-built, sophisticated toolkits reduce the technical barriers for cybercriminals. Such frameworks enable widespread credential theft on an industrial scale, posing a significant and persistent threat to individuals and organizations relying on online services.
The continuous evolution of phishing techniques, as demonstrated by this multi-stage kit utilizing Telegram, necessitates ongoing vigilance from both service providers and end-users. As cybercriminals refine their methods to bypass automated defenses and exploit user trust, the development and deployment of advanced security measures and heightened user awareness remain paramount in the ongoing battle against phishing attacks.