- Threat actors cloned Brazilian government sites using generative AI
- The websites were used to steal personal information and money
- In both cases the websites were almost identical, experts warn
Experts have warned hackers recently used a generative AI tool to repeat several web pages belonging to the Brazilian government in an attempt to steal sensitive personal information and money.
The fake sites were examined by Zscaler Threatlabz scientists who discovered several indicators of the use of AI to generate code.
The websites look almost identical to the official sites where the hackers use SEO poisoning to make the sites appear higher in search results and therefore seem more legitimate.
AI generated government sites
In the campaign examined by Threatlabz, two sites were discovered that they imitated important government portals. The first was for the state -of -the -art traffic portal to apply for a driver’s license.
The two places appear to be almost identical, where the only big difference is on the site’s URL. The threat actor used ‘Govbrs[.]com ‘like the URL prefix that mimics the official URL in a way that would easily be overlooked by those who visit the site. The website was also strengthened in search results using SEO poisoning, which made it seem to be the legitimate website.
When on the site, users are invited to enter their CPF number (a form of personal identification number similar to an SSN) that the hacker would ‘authenticate’ using an API.
The victim then filled in a web form asking for personal information, such as name and address before being asked to plan psychometric and medical exams as part of driving application.
The victim would then be asked to use PIX, Brazil’s immediate payment system, to complete their application. The funds would go directly to the hacker’s account.
Another site based on the Job Board of the Brazilian Ministry of Education lured applicants to transfer their CPF number and end payments to the hacker. This site used similar URL -Squatting techniques and SEO poisoning to seem legitimate.
The user will apply for false job records and hand over personal information before they were again asked to use the PIX payment system to complete their application.
In Threatlabz’s technical analysis of both places, much of the code showed signs of being generated by Deepsite AI using a prompt to copy the official site, such as tailwindcs styling and highly structured code comments indicating “in a real implementation …”
CSS files on the site also include templated instructions on how to reproduce government sites.
The threatabz blog ends, “while these phishing campaigns are currently stealing relatively small amounts of money from victims, similar attacks can be used to cause far more injuries. Organizations can reduce the risk of ensuring best practice along with implementing a zero trust architecture to minimize the attack surface.”
