



























The threat actor’s use of generative AI tools can be spotted when inspecting the source code of these phishing pages and by identifying a few design flaws that make certain elements of the page non-clickable. Signs that generative AI tools were used include TailwindCSS styling, overly organized and instructive code comments, staged forms collecting CPF data, and an API system for validating information, all of which will be reviewed in detail below.
DeepSite AI and BlackBox AI consistently utilize TailwindCSS for styling and FontAwesome CSS (hosted on Cloudflare CDN) for icons. Both of these CSS libraries are referenced in the source code of the phishing pages, as shown in the figure below.

Figure 5: Example of the Brazilian government phishing pages HTML source code using the TailwindCSS and FontAwesome libraries.
In the figure below, ThreatLabz used DeepSite AI to replicate the legitimate gov.br website by providing the tool with a link and providing instructions to create a clone. The resulting clone’s source code, displayed on the right side of the figure below, closely mirrors the source code shown in the figure above.

Figure 6: Example of HTML code generated by DeepSite AI.
The phishing pages and the legitimate website are similar in appearance. However, the phishing pages include non-functional user interface (UI) elements that are typically not included in legitimate, working websites.
The figure below compares a legitimate login page with a phishing page's login prompt, highlighting non-functional UI elements outlined in red boxes.

Figure 7: Comparison of the legitimate Brazilian government website and a phishing page with non-clickable elements.
This lack of functionality for expected interactive elements is a strong indicator of a phishing page, suggesting that the generative AI tool replicated the visual layout without implementing the underlying interactive logic.
Our analysis of the JavaScript files uncovered code comments that appear to be auto-generated by generative AI tools. Informative comments such as, “In a real implementation, this would make an API call,” appear in the code, as demonstrated in the JavaScript sample below:
function performSearch(query) {
console.log('Searching for:', query);
// In a real implementation, this would make an API call
fetch(`/search?q=${encodeURIComponent(query)}`)
.......
}Code comments are frequently included by generative AI tools to explain a function’s purpose, allowing a developer to easily understand and continue further integration. Such comments are not commonly found in phishing kits, where obfuscation and compactness are the primary goals. Furthermore, these comments are also not typically present in professional, production-ready code intended to power legitimate pages.
Similarly, the CSS files of the site include highly structured comments, seemingly designed to function as an easy-to-read template for the developer (i.e., the threat actor).
These highly structured comments can be seen in the CSS example below:
/* Custom CSS for gov.br clone */
....
/* Base styling - Gov.br font stack */
...
/* Half circle element - Gov.br style */
...
/* Gov.br logo styling */
...The phishing pages employ staged data collection and API validation to enhance their appearance of legitimacy, as explained below.
The phishing page mimics the behavior of authentic websites by progressively requesting additional information from the victim in stages. Information such as a victim’s CPF and address is collected and then validated using an API created by the threat actor.. This whole process is designed to deceive the victim because, from the victim’s perspective, a “legitimate” page requested information in a traditional manner and seemingly validated personal details.
Case study 1: State Department of Traffic
The figure below shows the phishing page for Brazil’s Department of Traffic prompting the victim to enter their CPF number and then their residential information.

Figure 8: Example phishing page for Brazil’s Department of Traffic requesting a victim’s CPF and address.
Case study 2: Ministry of Education
The figure below shows the phishing page mimicking Brazil’s Ministry of Education requesting the victim’s CPF number.

Figure 9: Example phishing page for Brazil’s Ministry of Education requesting a victim’s CPF.
After the victim provides their CPF number, address, and additional personal information, the attackers utilize backend API calls to validate the submitted information.
The API domain identified during analysis is registered by the threat actor. The API retrieves data associated with the CPF number and automatically populates the phishing page with information linked to the CPF.
ANALYST NOTE: It is possible that the attackers may have initially acquired CPF numbers and user details through data breaches or by leveraging publicly exposed APIs with an authentication key. This information is then utilized to enhance the credibility of their phishing attempts.
The figure below shows the API’s request and response for fetching CPF number information.

Figure 10: Phishing website API request and response for fetching CPF information, name, date of birth, mother’s name, and gender.
The final stage of these attacks requests a “mandatory registration fee” via Pix, Brazil’s instant payment system. This step mimics standard government procedures, but ultimately aims to extract money from the victim.
Case study 1: State Department of Traffic
The figure below depicts the State Department of Traffic phishing page, prompting the victim to send a R$87.40 (~$16 USD) "registration fee" via Pix.

Figure 11: Example phishing page impersonating Brazil’s State Department requesting payment via Pix.
Case study 2: Ministry of Education
The figure below depicts the phishing page for Brazil’s Ministry of Education asking the victim to make a R$87.40 (~$16 USD) payment via Pix.

Figure 12: Example phishing page impersonating Brazil’s Ministry of Education requesting payment via Pix.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。