The AI Phishing Trap: Zscaler Exposes Fake Brazilian Government Websites Generated by AI to Steal Payments
Do Son 
Zscaler’s ThreatLabz has uncovered a phishing campaign that leverages generative AI to construct high-fidelity replicas of Brazilian government websites, including the State Department of Traffic (Detran) and the Ministry of Education. These cloned sites are then boosted via SEO poisoning, appearing prominently in Google search results and luring unsuspecting users into submitting personal information and Pix payments.
ThreatLabz identified the use of AI tools such as DeepSite AI and BlackBox AI to create fake government websites, using:
- TailwindCSS styling
- FontAwesome icons
- Over-explanatory developer comments
- Staged forms and backend API validation
“Source code analysis reveals signatures of generative AI tools, such as overly explanatory comments meant to guide developers… and TailwindCSS styling, which is different from the traditional phishing kits used by threat actors,” the report explains.
Even the phishing sites’ JavaScript contains lines like:
Fake domains like govbrs[.]com mimic the Detran website with near pixel-perfect detail. The attack flow includes:
- Victims land on the phishing page via SEO-boosted results
- Prompted to enter CPF (Brazilian taxpayer ID) and address
- Data is validated via a backend API, falsely establishing legitimacy
- Victims are told to schedule exams, and then
- Asked to pay R$87.40 (~$16 USD) via Pix — a payment that goes directly to the attacker
“The ultimate goal of these campaigns is to trick victims into sending a one-time payment to the threat actors via Pix, Brazil’s instant payment system,” the report states.
Fake domains such as govbr[.]agentesdaeducacao[.]org and gov[.]ministerioeduca[.]com present seemingly legitimate job offers:
- Users enter their address
- View fake job openings based on location
- Enter CPF to apply
- Prompted to pay R$87.40 “registration fee” via Pix
ThreatLabz’s technical analysis reveals:
- Non-clickable UI elements, indicating cloned appearance without functionality
- AI-style code comments and highly structured CSS
- Use of API validation, possibly tied to previously breached CPF records
- Fake Pix portals to steal payments
“The phishing pages employ staged data collection and API validation to enhance their appearance of legitimacy,” the report notes.
Zscaler ThreatLabz concludes that generative AI has lowered the barrier of entry for cybercriminals, allowing rapid creation of highly believable phishing infrastructure that can scale and localize with minimal effort.
Related Posts:
- Kaspersky Reveals: GoPIX Targets Brazil’s Rising PIX System
- Apple Forced: Third-Party Apps Coming to Brazilian iOS
- PixPirate Malware Evades Detection with Innovative Hiding Technique
- Zscaler found 150 Android apps infected with Windows malware
- Zscaler Report: 300% increase in phishing attacks delivered over SSL
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
