Threat Actors Leveraging GenAI for Phishing Attacks Impersonating Government Websites

Cybercriminals have escalated their phishing operations by incorporating generative artificial intelligence tools to create sophisticated replicas of government websites, marking a significant evolution in social engineering tactics.

A recent campaign targeting Brazilian citizens demonstrates how threat actors are exploiting AI-powered platforms like DeepSite AI and BlackBox AI to construct convincing duplicates of official government portals, specifically impersonating Brazil’s State Department of Traffic and Ministry of Education websites.

The emergence of this AI-enhanced phishing methodology represents a paradigmatic shift from traditional phishing kits toward more sophisticated, automated website replication techniques.

These malicious actors employ search engine optimization poisoning strategies to artificially elevate their fraudulent pages in search results, ensuring victims encounter the deceptive sites when searching for legitimate government services.

The campaign’s primary attack vectors include boosted search rankings and potentially targeted email distribution, creating multiple pathways for victim engagement.

Zscaler researchers identified this campaign through comprehensive analysis of suspicious domains and source code examination, revealing distinctive signatures of AI-generated content.

The financial impact centers on relatively modest individual losses of approximately R$87.40 (roughly $16 USD) per victim, collected through Brazil’s instant payment system Pix, though the cumulative effect across numerous victims represents substantial illicit revenue generation.

The phishing operations target two primary government services: driver’s license applications through the State Department of Traffic and employment opportunities via the Ministry of Education job board.

Both campaigns follow remarkably similar victim flows, beginning with data collection of Brazil’s Cadastro de Pessoas Físicas (CPF) taxpayer identification numbers and progressing through staged information gathering designed to build credibility and trust.

Technical Indicators of AI-Generated Phishing Infrastructure

The technical analysis reveals several distinctive markers that distinguish these AI-generated phishing sites from conventional threat actor methodologies.

Source code examination exposes the consistent utilization of TailwindCSS for styling and FontAwesome libraries hosted on Cloudflare’s content delivery network, representing a departure from typical phishing kit architecture.

The HTML structure demonstrates clear AI generation signatures through overly explanatory code comments intended for developer guidance rather than production deployment:-

Mais Agentes da Educação gov.br

JavaScript implementations contain instructional comments that explicitly acknowledge incomplete functionality, as evidenced in this code sample:-

function performSearch(query) {
 console.log('Searching for:', query);
 // In a real implementation, this would make an API call
 fetch(`/search?q=${encodeURIComponent(query)}`)
}

The phishing infrastructure incorporates sophisticated API validation systems that verify submitted CPF numbers and automatically populate victim information, creating an illusion of legitimate government database connectivity.

This backend validation mechanism enhances credibility by displaying accurate personal details associated with the provided identification numbers, potentially sourced from previous data breaches or compromised APIs.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial