Threat actors are using generative AI tools like DeepSite AI and BlackBox AI to create highly convincing phishing pages impersonating Brazil’s State Department of Traffic and Ministry of Education, leveraging SEO poisoning to increase visibility. These phishing campaigns collect sensitive personal information, validate it using an API, and ultimately defraud victims by requesting payments through Brazil’s Pix system. #DeepSiteAI #BlackBoxAI #BrazilPix
Keypoints
- Threat actors leverage generative AI tools to produce phishing templates that mimic Brazilian government websites, including the State Department of Traffic and Ministry of Education.
- SEO poisoning techniques are employed to artificially boost the phishing sites’ search engine visibility and lure victims.
- Phishing pages incorporate signs of AI-generated code such as TailwindCSS styling, instructive code comments, and non-functional UI elements.
- The phishing sites collect sensitive data like CPF numbers and addresses with staged forms and validate this data via backend APIs controlled by the threat actors.
- Victims are tricked into making payments through Pix, Brazil’s instant payment system, under false government pretenses.
- The campaign domains include variations such as govbrs[.]com and govbr[.]agentesdaeducacao[.]org used in impersonation efforts.
- Zscaler’s multilayered cloud security platform detects these threats under the name HTML.Phish.AIGen.
MITRE Techniques
- [T1566] Phishing – Threat actors craft AI-generated phishing pages mimicking official government sites to steal sensitive information (“…phishing pages request the victim’s CPF number and personal data…”).
- [T1192] Spearphishing Link – The campaign uses SEO poisoning to promote malicious links higher in search results (“…boost their phishing pages in search results…”).
- [T1056] Input Capture – Phishing pages employ staged forms to collect victim data such as CPF numbers and addresses (“…forms collecting CPF data and address in a staged manner…”).
- [T1608] Stage Capabilities – Use of generative AI tools (DeepSite AI, BlackBox AI) to automate creation of phishing templates (“…replicates the legitimate website using an AI tool…”).
Indicators of Compromise
- [Domain] Malicious phishing domains – govbrs[.]com, gov-brs[.]com, govbr[.]agentesdaeducacao[.]org, govbr[.]inscricaoagente[.]com, and others linked to Brazil government impersonation campaigns.
- [API Domain] Backend API used for CPF validation – domain registered by threat actor (specific domain not disclosed but identified during technical analysis).
- [File Style] Use of TailwindCSS and FontAwesome via Cloudflare CDN – distinctive styling libraries in phishing page source code.