LIVE FEED
FIRST LOOK First Look: Y Combinator's Garry Tan Deploys Agentic AI for High-Volume Code Generation // HIGH Phishing-as-a-Service Ring Weaponises Gemini to Clone Government Sites // CRITICAL Session Token Leak in Writer AI Enables Cross-Tenant Account Takeover // MEDIUM CISA Deploys Anthropic LLM to Audit Government Software Attack Surfaces // FIRST LOOK First Look: Tencent Releases Hy3 295B MoE Open-Source Model with 256K Context // FIRST LOOK First Look: NVIDIA and Hugging Face Integrate GR00T 1.7 into LeRobot Open Robotics … // FIRST LOOK First Look: AWS Launches Multi-Turn RL Infrastructure for Amazon Nova on SageMaker … // FIRST LOOK First Look: OfficeCLI Ships Open-Source Microsoft Office Automation Suite for AI Agents // HIGH Indirect Prompt Injections Weaponised to Drain Crypto via AI Agents // HIGH SkillCloak Bypasses AI Agent Skill Scanners with 90%+ Success Rate //
ATLAS OWASP HIGH Significant risk · Prioritise patching RELEVANCE ▲ 7.2

Phishing-as-a-Service Ring Weaponises Gemini to Clone Government Sites

TL;DR HIGH
  • What happened: Chinese group Outsider Enterprise used Gemini to generate 300+ phishing site templates sold via Telegram.
  • Who's at risk: General consumers targeted by SMS phishing campaigns impersonating Google, YouTube, and US government toll services.
  • Act now: Enforce stricter output filtering on LLM APIs for HTML/CSS generation mimicking known brand assets · Implement on-device or carrier-level scam SMS detection layered with AI-generated content signals · Require stepped-up identity verification before granting access to generative AI code/web-page generation features
Phishing-as-a-Service Ring Weaponises Gemini to Clone Government Sites

Overview

Google has filed a lawsuit against Outsider Enterprise, a China-linked cybercriminal operation accused of systematically abusing the Gemini large language model to produce phishing infrastructure at scale. Operating through Telegram, the group sold phishing-as-a-service packages — nearly 300 scam templates — enabling low-skill actors to deploy convincing fake sites for Google, YouTube, and US government services including New York’s E-ZPass toll system. Google partnered with AT&T, Verizon, and T-Mobile to block the downstream smishing campaigns, and credits its on-device scam detection in Google Messages — which reportedly intercepts 10 billion scam texts per month — with blunting some of the operation’s impact.

The lawsuit is one of the first high-profile legal actions directly linking LLM misuse to an organised phishing ecosystem, and signals that AI providers are increasingly willing to pursue civil litigation as a complementary enforcement mechanism.

Technical Analysis

Outsider Enterprise’s workflow illustrates the commoditisation of AI-assisted fraud. The group provided Telegram subscribers with structured prompts and instructional guides for directing Gemini to generate functional HTML/CSS that visually replicates legitimate sites. By abstracting away the technical complexity of cloning web pages, the service democratised credential-harvesting infrastructure for actors with no development background.

The attack chain follows a straightforward pattern:

  1. Prompt crafting — subscribers use pre-written prompt templates to instruct Gemini to produce phishing page markup.
  2. Template distribution — finished pages are shared as ready-to-deploy packages via Telegram channels.
  3. SMS delivery — smishing messages drive victims to hosted clones; carrier networks and Google Messages’ on-device AI detection form the primary defensive layer.

The core challenge for content moderation is intent opacity: a prompt requesting an E-ZPass login page is syntactically identical whether issued by a legitimate developer or a fraudster. Current LLM safety classifiers operate on surface-level content signals and cannot reliably distinguish downstream use context.

Framework Mapping

  • AML.T0051 – LLM Prompt Injection / AML.T0054 – LLM Jailbreak: Attackers crafted prompts to elicit branded phishing page generation, bypassing content policy guardrails.
  • AML.T0047 – ML-Enabled Product or Service: Gemini was monetised as an offensive capability within a crime-as-a-service business model.
  • LLM02 – Insecure Output Handling: Generated HTML was deployed directly as attack infrastructure with no downstream validation.
  • LLM09 – Overreliance: Downstream consumers of the service placed undue trust in AI-generated content without independent verification of legitimacy.

Impact Assessment

The immediate victim pool is broad — any consumer receiving smishing messages impersonating toll agencies, Google services, or YouTube. The systemic impact is more significant: this case demonstrates that generative AI APIs can be operationalised within phishing-as-a-service supply chains, substantially reducing the cost and skill threshold for credential-harvesting campaigns. Carrier-level blocking and on-device detection absorbed a portion of the volume, but the 300-template catalogue suggests significant reach before disruption.

Mitigation & Recommendations

  • AI providers should implement output-layer brand-similarity detection to flag generated content that replicates known high-value targets (e.g., Google, government portals).
  • API access controls should include tiered verification for features that produce deployable web content, especially for new or unverified accounts.
  • Organisations should enrol brand assets in provider abuse reporting programmes to accelerate take-down of impersonating content.
  • End users should treat unsolicited SMS links with suspicion regardless of apparent legitimacy; use official apps or bookmarked URLs for toll and government services.
  • Carriers and platform operators should expand AI-assisted smishing detection pipelines and share threat intelligence across provider boundaries.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.