- Threat actors have cloned the websites of the Brazilian government using a generative AI
- The sites have been used to steal personal information and money
- In both cases, the sites were almost identical, provide experts
Experts have warned pirates who recently used a generative AI tool to reproduce several web pages belonging to the Brazilian government in order to steal sensitive personal information and money.
False websites have been examined by researchers from Zscaler Threatlabz, who discovered several indicators of using AI to generate code.
The websites seem almost identical to the official sites, the pirates using the poisoning of SEO to reveal the higher websites in the search results, and therefore seem more legitimate.
Government websites generated by AI
In the campaign examined by Threatlabz, two websites have been seen imitating important government gates. The first was for the portal of the State Department of Traffical to request a driving license.
The two sites seem to be almost identical, the only major difference being in the website URL. The threat actor used Govbrs[.]com ‘as URL prefix, imitating the official URL in a way that would be easily neglected by those who visit the site. The web page has also been stimulated in research results using referencing poisoning, which makes it the legitimate site.
Once on the site, users are invited to enter their CPF number (a form of personal identification number similar to an SSN), that the pirate “would authenticate” an API.
The victim would then complete a web form requesting personal information such as name and address, before planning psychometric and medical examinations as part of the driving request.
The victim would then be invited to use Pix, the instant payment system of Brazil, to complete his request. The funds would go directly to the pirate account.
A second website based on the board board for the Brazilian ministry of education attracted the candidates to hand over their CPF number and finish payments to the pirate. This website has used similar URLs and SEO poisoning to appear legitimate.
The user would apply to false job lists, putting personal information back before being invited to use the Pix payment system to complete their request.
In the technical analysis of Threatlabz of the two sites, a large part of the code has shown signs of being generated by Deepsite IA using an prompt to copy the official website, such as the Tailwindcss style and highly structured code comments which indicate “in a real implementation …”
The CSS files on the website also include model instructions on how to reproduce government sites.
The Threatlabz blog concludes: “Although these phishing campaigns are currently flying relatively low sums to victims, similar attacks can be used to cause much more damage. Organizations can reduce the risk by guaranteeing best practices, while deploying a zero trust architecture to minimize the surface of the attack. ”
