AI technologies utilised for Brazilian phishing scam

Cybersecurity researchers have highlighted a new campaign leveraging legitimate generative artificial intelligence (AI)-powered website building tools, such as DeepSite AI and BlackBox AI, to create replica phishing pages that mimic Brazilian government agencies. This financially motivated activity involves the development of lookalike sites imitating Brazil’s State Department of Traffic and Ministry of Education, which deceive unsuspecting users into making unwarranted payments through the country’s PIX payment system, according to Zscaler ThreatLabz. The fraudulent sites are artificially enhanced using search engine optimisation (SEO) poisoning techniques to improve their visibility, thereby increasing the likelihood of successful attacks. Source code analysis has revealed signatures of generative AI tools, including overly explanatory comments intended to guide developers and non-functional elements typically found on authentic websites, along with trends like TailwindCSS styling, which differ from traditional phishing kits used by threat actors.

The ultimate goal of these attacks is to present bogus forms that collect sensitive personal information, such as Cadastro de Pessoas Físicas (CPF) numbers, Brazilian taxpayer identification numbers, and residential addresses, while convincing victims to make a one-time payment of 87.40 reals (approximately $16) under the pretext of completing a psychometric and medical exam or securing a job offer. To enhance the legitimacy of the campaign, the phishing pages employ staged data collection, progressively requesting additional information from victims, mirroring the behaviour of authentic websites. The collected CPF numbers are validated on the backend through an API created by the threat actor, which retrieves data associated with the CPF number and automatically populates the phishing page. Zscaler noted that the attackers may have acquired CPF numbers and user details through data breaches or by exploiting publicly exposed APIs with authentication keys, thereby increasing the credibility of their phishing attempts. While these campaigns currently extract relatively small amounts of money from victims, similar attacks have the potential to cause far greater damage. Additionally, Brazil has become the target of a malspam campaign impersonating lawyers from a major company to distribute a malicious script called Efimer, aimed at stealing victims’ cryptocurrency. Russian cybersecurity company Kaspersky detected this mass mailing campaign in June 2025, with early iterations of the malware tracing back to October 2024, spreading via infected WordPress websites.