GenAI Used For Phishing Websites Impersonating Brazil’s Government

Introduction

A common theme discussed by Zscaler ThreatLabz in several reports and blogs is how the rise of generative AI tools serves as a double-edged sword, empowering regular users to work more efficiently while also aiding threat actors in their phishing activities. Threat actors are leveraging generative AI tools to quickly and accurately create replica phishing pages that impersonate trusted websites. These seemingly “legitimate” phishing pages, artificially boosted in web searches using SEO poisoning techniques, lure victims into providing sensitive details that end in financial losses.

In this blog post, ThreatLabz explores a campaign that uses generative AI tools like DeepSite AI and BlackBox AI to create malicious replicas of Brazil's State Department of Traffic and Ministry of Education. Our technical analysis explains the telltale signs of AI generated source code, and how the campaign uses API validation to establish legitimacy. In addition, our analysis shows how the final stage of the campaign involves prompting victims to make payments using Pix, Brazil's instant payment system. 

Key Takeaways

• Threat actors are leveraging generative AI tools like DeepSite AI and BlackBox AI to produce phishing templates that closely mimic official government websites, like the Brazilian State Department of Traffic and Ministry of Education.
• Threat actors artificially enhance the visibility of phishing pages using SEO poisoning techniques, increasing the likelihood that a victim visits the fraudulent site.
• Source code analysis reveals signatures of generative AI tools, such as overly explanatory comments meant to guide developers, non-functional elements that would typically work on an authentic website, and trends like TailwindCSS styling, which is different from the traditional phishing kits used by threat actors.
• The phishing pages use forms to collect sensitive personal data, such as Cadastro de Pessoas Físicas (CPF) number, the Brazilian taxpayer identification number, along with the victim’s address, and validates that data to build trust and credibility with the victim.
• The ultimate goal of these campaigns is to trick victims into sending a one-time payment to the threat actors via Pix, a popular payment platform in Brazil.

Overview

ThreatLabz has identified a fraudulent campaign utilizing two phishing templates:

• One impersonating the Brazilian State Department of Traffic with promises of a free driver’s license.
• Another template masquerading as the Brazilian Ministry of Education providing employment opportunities.

The victim flows of these phishing templates are largely similar in behavior and source code, with only minor differences in certain steps. Both of the victim flows actually begin the same way. First, the threat actor replicates the legitimate website using an AI tool and then employs SEO poisoning to enhance visibility of the replica page in online searches. The figure below depicts an example search with phishing pages shown as the first two results.

Figure 1: Threat actors use SEO poisoning techniques to boost their phishing pages in search results.

The victim flows begin as explained in the sections below.

ANALYST NOTE: There are some indications that the malicious phishing pages may have also been advertised via email.

Case Study 1: State Department of Traffic 

This phishing template targets individuals seeking a driver’s license on what they believe is the official website of Brazil's State Department of Traffic. The malicious domains for this campaign include the following:

• govbrs[.]com
• gov-brs[.]com

The figure below compares the legitimate website with the phishing page replica created by the threat actors. The aesthetic similarities between the two is striking; with only very visual slight differences as shown below:

Figure 2: Side-by-side comparison of the legitimate and a phishing page associated with the Brazilian State Department of Traffic.

The attack process for this phishing website is the following:

1. The victim arrives at the malicious phishing page after clicking on a link boosted by the threat actor’s SEO poisoning techniques.
2. The malicious phishing page requests the victim's CPF number. In the backend, the threat actor uses an API to validate the number, helping the website seem more legitimate and associated with the government.
3. The victim is then prompted to fill out a form with personal information, like their residential address. This step is carried out in a staged manner that mimics how legitimate websites typically collect information, further adding to the website’s perceived authenticity.
4. The victim is instructed to schedule psychometric and medical exams as part of their license application process.
5. The victim is then required to make a payment through a Pix portal under the guise of completing the process, while in reality the payment goes directly to the threat actor.

The figure depicts the overall process.

Figure 3: Diagram shows the victim flow for a Brazilian State Department of Traffic phishing site.

Case Study 2: Ministry of Education

This phishing template preys on individuals seeking job opportunities on what they believe is the official job board for the Brazilian Ministry of Education. The malicious domains observed by ThreatLabz for this phishing campaign include: 

• govbr[.]agentesdaeducacao[.]org
• govbr[.]inscricaoagente[.]com
• gov[.]ministerioeduca[.]com

The attack process for this phishing website is the following:

1. The victim arrives at the malicious phishing page after clicking on a link boosted by the threat actor’s SEO poisoning techniques.
2. The malicious phishing page prompts the user to enter their address.
3. Once the address is entered, the phishing page shows fake job vacancies within the victim's geographic location.
4. After selecting a job offer, the victim is asked to input their CPF number.
5. To secure the supposed job position, the victim is directed to make immediate payment via a Pix portal. Believing the payment is being sent to the Ministry of Education, the victim unknowingly transfers the funds directly to the threat actor.

The figure below shows the victim flow for this phishing template.

Figure 4: Victim flow diagram for a Brazilian Ministry of Education phishing website.

Technical Analysis

The threat actor’s use of generative AI tools can be spotted when inspecting the source code of these phishing pages and by identifying a few design flaws that make certain elements of the page non-clickable. Signs that generative AI tools were used include TailwindCSS styling, overly organized and instructive code comments, staged forms collecting CPF data, and an API system for validating information, all of which will be reviewed in detail below.

CSS clues

DeepSite AI and BlackBox AI consistently utilize TailwindCSS for styling and FontAwesome CSS (hosted on Cloudflare CDN) for icons. Both of these CSS libraries are referenced in the source code of the phishing pages, as shown in the figure below.

Figure 5: Example of the Brazilian government phishing pages HTML source code using the TailwindCSS and FontAwesome libraries.

In the figure below, ThreatLabz used DeepSite AI to replicate the legitimate gov.br website by providing the tool with a link and providing instructions to create a clone. The resulting clone’s source code, displayed on the right side of the figure below, closely mirrors the source code shown in the figure above.

Figure 6: Example of HTML code generated by DeepSite AI.

Non-clickable elements

The phishing pages and the legitimate website are similar in appearance. However, the phishing pages include non-functional user interface (UI) elements that are typically not included in legitimate, working websites. 

The figure below compares a legitimate login page with a phishing page's login prompt, highlighting non-functional UI elements outlined in red boxes.

Figure 7: Comparison of the legitimate Brazilian government website and a phishing page with non-clickable elements.

This lack of functionality for expected interactive elements is a strong indicator of a phishing page, suggesting that the generative AI tool replicated the visual layout without implementing the underlying interactive logic.

Code comments

Our analysis of the JavaScript files uncovered code comments that appear to be auto-generated by generative AI tools.Informative comments such as, “In a real implementation, this would make an API call,” appear in the code, as demonstrated in the JavaScript sample below:

function performSearch(query) {
   console.log('Searching for:', query);
   // In a real implementation, this would make an API call
   fetch(`/search?q=${encodeURIComponent(query)}`)
   .......
}

Code comments are frequently included by generative AI tools to explain a function’s purpose, allowing a developer to easily understand and continue further integration. Such comments are not commonly found in phishing kits, where obfuscation and compactness are the primary goals. Furthermore, these comments are also not typically present in professional, production-ready code intended to power legitimate pages.

Similarly, the CSS files of the site include highly structured comments, seemingly designed to function as an easy-to-read template for the developer (i.e., the threat actor).

These highly structured comments can be seen in the CSS example below:

/* Custom CSS for gov.br clone */
....
/* Base styling - Gov.br font stack */
...
/* Half circle element - Gov.br style */
...
/* Gov.br logo styling */
...

API validation and staged data collection

The phishing pages employ staged data collection and API validation to enhance their appearance of legitimacy, as explained below. 

The phishing page mimics the behavior of authentic websites by progressively requesting additional information from the victim in stages. Information such as a victim’s CPF and address is collected and then validated using an API created by the threat actor.. This whole process is designed to deceive the victim because, from the victim’s perspective, a “legitimate” page requested information in a traditional manner and seemingly validated personal details.

Case study 1: State Department of Traffic 

The figure below shows the phishing page for Brazil’s Department of Traffic prompting the victim to enter their CPF number and then their residential information.

Figure 8: Example phishing page for Brazil’s Department of Traffic requesting a victim’s CPF and address.

Case study 2: Ministry of Education

The figure below shows the phishing page mimicking Brazil’s Ministry of Education requesting the victim’s CPF number.

Figure 9: Example phishing page for Brazil’s Ministry of Education requesting a victim’s CPF. 

After the victim provides their CPF number, address, and additional personal information, the attackers utilize backend API calls to validate the submitted information.

The API domain identified during analysis is registered by the threat actor. The API retrieves data associated with the CPF number and automatically populates the phishing page with information linked to the CPF.

ANALYST NOTE: It is possible that the attackers may have initially acquired CPF numbers and user details through data breaches or by leveraging publicly exposed APIs with an authentication key. This information is then utilized to enhance the credibility of their phishing attempts.

The figure below shows the API’s request and response for fetching CPF number information.

Figure 10: Phishing website API request and response for fetching CPF information, name, date of birth, mother’s name, and gender.

Payment stolen via Pix

The final stage of these attacks requests a “mandatory registration fee” via Pix, Brazil’s instant payment system. This step mimics standard government procedures, but ultimately aims to extract money from the victim.

Case study 1: State Department of Traffic 

The figure below depicts the State Department of Traffic phishing page, prompting the victim to send a R$87.40 (~$16 USD) "registration fee" via Pix.

Figure 11: Example phishing page impersonating Brazil’s State Department requesting payment via Pix.

Case study 2: Ministry of Education

The figure below depicts the phishing page for Brazil’s Ministry of Education asking the victim to make a R$87.40 (~$16 USD) payment via Pix.

Figure 12: Example phishing page impersonating Brazil’s Ministry of Education requesting payment via Pix.

Conclusion

Our analysis highlights indicators that these attacks are now leveraging AI-generated phishing websites, using tools like DeepSite AI and BlackBox AI. These sites are promoted via search engines by poisoning search results to defraud visitors. While these phishing campaigns are currently stealing relatively small amounts of money from victims, similar attacks can be used to cause far more damage. Organizations can reduce the risk by ensuring best practices along with deploying a Zero Trust architecture to minimize the attack surface.

Zscaler Coverage

Zscaler’s multilayered cloud security platform detects indicators related to the targeted attacks mentioned in this blog at various levels with the following threat names:

• HTML.Phish.AIGen

Indicators Of Compromise (IOCs)