Cybersecurity researchers are drawing attention to a new campaign that’s using legitimate generative artificial intelligence (AI)-powered website building tools like DeepSite AI and BlackBox AI to create replica phishing pages mimicking Brazilian government agencies as part of a financially motivated campaign.
The activity involves the creation of lookalike sites imitating Brazil’s State Department of Traffic and Ministry of Education, which then trick unsuspecting users into making unwarranted payments through the country’s PIX payment system, Zscaler ThreatLabz said.
These fraudulent sites are artificially boosted using search engine optimization (SEO) poisoning techniques to enhance their visibility, thereby increasing the likelihood of success of the attack.
“Source code analysis reveals signatures of generative AI tools, such as overly explanatory comments meant to guide developers, non-functional elements that would typically work on an authentic website, and trends like TailwindCSS styling, which is different from the traditional phishing kits used by threat actors,” Zscaler’s Jagadeeswar Ramanukolanu, Kartik Dixit, and Yesenia Barajas said.
The end goal of the attacks is to serve bogus forms that collect sensitive personal information, including Cadastro de Pessoas FÃsicas (CPF) numbers, Brazilian taxpayer identification numbers, residential addresses, and convince them to make a one-time payment of 87.40 reals ($16) to the threat actors via PIX under the guise of completing a psychometric and medical exam or secure a job offer.
To further increase the legitimacy of the campaign, the phishing pages are designed such that they employ staged data collection by progressively requesting additional information from the victim, mirroring the behavior of the authentic websites. The collected CPF numbers are also validated on the backend by means of an API created by the threat actor.
“The API domain identified during analysis is registered by the threat actor,” Zscaler said. “The API retrieves data associated with the CPF number and automatically populates the phishing page with information linked to the CPF.”
That said, the company noted that it’s possible the attackers may have acquired CPF numbers and user details through data breaches or by leveraging publicly exposed APIs with an authentication key, and then used the information to increase the credibility of their phishing attempts.
“While these phishing campaigns are currently stealing relatively small amounts of money from victims, similar attacks can be used to cause far more damage,” Zscaler noted.
Mass mailing Campaign Distributes Efimer Trojan to Steal Crypto
Brazil has also become the focus of a malspam campaign that impersonates lawyers from a major company to deliver a malicious script called Efimer and steal a victim’s cryptocurrency. Russian cybersecurity company Kaspersky said it detected the mass mailing campaign in June 2025, with early iteration of the malware…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
