Threat Actors Use GenAI to Launch Phishing Attacks Mimicking Government Websites

Threat Actors Use GenAI to Launch Phishing Attacks Mimicking Government Websites

Threat actors are increasingly leveraging generative AI (GenAI) tools to craft highly convincing phishing websites that impersonate legitimate government portals.

As highlighted by Zscaler ThreatLabz in their recent reports and blogs, the dual nature of GenAI empowering productivity for legitimate users while enabling cybercriminals has become a critical issue.

These tools, such as DeepSite AI and BlackBox AI, allow attackers to replicate official websites with alarming precision, targeting unsuspecting users for financial gain.

Example of HTML code generated by DeepSite AI

Sophisticated Phishing Campaigns

Two specific campaigns in Brazil, impersonating the State Department of Traffic and the Ministry of Education, exemplify this growing threat, exploiting both technical sophistication and social engineering to deceive victims.

The phishing campaigns analyzed by Zscaler ThreatLabz reveal a meticulous approach by threat actors who use GenAI to clone government websites, like those of Brazil’s State Department of Traffic and Ministry of Education, with near-identical aesthetics.

These fraudulent sites are boosted in search engine results through SEO poisoning techniques, ensuring high visibility to potential victims.

Phishing Attacks
Threat actors use SEO poisoning techniques 

AI-Generated Phishing Pages

Technical analysis of the source code uncovers distinct signatures of AI-generated content, including the use of TailwindCSS for styling and FontAwesome for icons, alongside overly descriptive code comments such as “In a real implementation, this would make an API call.”

These comments, meant to guide developers, are uncommon in traditional phishing kits that prioritize obfuscation.

Additionally, non-functional UI elements on these pages, such as non-clickable buttons or links contrast with legitimate websites, serving as a telltale sign of AI replication without full interactivity.

The phishing pages also employ staged data collection, requesting sensitive information like the Brazilian taxpayer ID (CPF) and residential details in a manner mimicking authentic processes, further enhanced by backend API validation to build trust.

The ultimate goal of these attacks is to extract payments via Pix, Brazil’s instant payment system, under the guise of mandatory fees, with victims unknowingly transferring funds directly to attackers.

These campaigns, while currently extracting modest sums (approximately $16 USD per victim), pose a significant risk of escalation.

The ability to rapidly generate convincing replicas using GenAI tools signals a potential for broader, more damaging attacks targeting sensitive data or larger financial transactions.

According to the report, Zscaler emphasizes the importance of adopting a Zero Trust architecture to mitigate such risks, alongside best practices for identifying phishing indicators.

Their cloud security platform detects related threats under identifiers like HTML.Phish.AIGen, providing multilayered protection against these evolving attacks.

As GenAI continues to lower the barrier for creating sophisticated phishing sites, organizations and individuals must remain vigilant, prioritizing robust security measures to counter this double-edged technological advancement.

Indicators of Compromise (IOCs)

Domain
govbr[.]agentesdaeducacao[.]org
govbrs[.]com
gov-brs[.]com
govbr[.]inscricaoagente[.]com
gov[.]ministerioeduca[.]com
govbr[.]agenteeducacao[.]org
agentedaeducacao[.]top
gov[.]agentedaeducacao[.]top
agentesdaeducacao[.]com[.]br

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free


Source link