X-Industry

Experts have warned hackers recently used a generative AI tool to replicate several web pages belonging to the Brazilian government in an effort to steal sensitive personal information and money.  The fake websites were examined by Zscaler ThreatLabz researchers, who discovered multiple indicators of the use of AI to generate code.  The websites look almost identical to the official sites, with the hackers using SEO poisoning to make the websites appear higher in search results, and therefore seem more legitimate.

AI generated government websites - In the campaign examined by ThreatLabz, two websites were spotted mimicking important government portals.  The first was for the Brazil’s State Department of Traffic’s portal for applying for a driver’s license.

The two sites appear to be near-identical, with the only major difference being in the website’s URL.  The threat actor used ‘govbrs[.]com’ as the URL prefix, mimicking the official URL in a way that would be easily overlooked by those visiting the site.  The webpage was also boosted in search results using SEO poisoning, making it appear to be the legitimate site.  Once on the site, the users are invited to enter their CPF number (a form of personal identification number similar to an SSN), which the hacker would ‘authenticate’ using an API.

The victim would then fill out a web form asking for personal information such as name and address, before being asked to schedule psychometric and medical exams as part of the driving application.  Bottom of Form

By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

The victim would then be prompted to use Pix, Brazil’s instant payment system, to complete their application.  The funds would go directly to the hacker’s account.

A second website based on the job board for the Brazilian Ministry of Education lured applicants into handing over their CPF number and completing payments to the hacker.  This website used similar URL squatting techniques and SEO poisoning to appear legitimate.

The user would apply to fake job listings, handing over personal information before again being prompted to use the Pix payment system to complete their application.

In ThreatLabz’ technical analysis of both sites, much of the code showed signs of being generated by Deepsite AI using a prompt to copy the official website, such as TailwindCSS styling and highly structured code comments that state “In a real implementation…”

The CSS files of the website also include templated instructions on how to reproduce the government sites.

The ThreatLabz blog[1] concludes, “While these phishing campaigns are currently stealing relatively small amounts of money from victims, similar attacks can be used to cause far more damage.  Organizations can reduce the risk by ensuring best practices along with deploying a Zero Trust architecture to minimize the attack surface.”

This article is shared with permission at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941 

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://register.gotowebinar.com/register/5207428251321676122

[1] https://www.zscaler.com/blogs/security-research/genai-used-phishing-websites-impersonating-brazil-s-government