Attackers are abusing AI-powered development platforms like Lovable, Netlify and Vercel to create and host captcha challenge websites as part of phishing campaigns, according to researchers at Trend Micro.
“Since January, Trend Micro has observed a rise in fake captcha pages hosted on such platforms,” the researchers write.
“These scams pose a dual threat: misleading users while evading automated security systems....The phishing campaigns typically begin with spam emails carrying urgent messages such as: ‘Password Reset Required’ or ‘USPS Change of Address Notification,’ which are standard tactics that are a staple of these types of attacks. Clicking the embedded URL directs the target to what appears to be a harmless captcha verification page.”
If a user completes the captcha, they’ll be redirected to a phishing page designed to steal their credentials.
While these AI tools are usually deployed for legitimate purposes, they can be useful for attackers for the following reasons:
- “Ease of deployment: Minimal technical skills are required to set up convincing fake captcha sites. On Lovable, attackers can use vibe coding to generate a fake captcha or phishing page, while Netlify and Vercel make it simple to integrate AI coding assistants in the CI/CD pipeline to churn out fake captcha pages.
- Free hosting: The availability of free tiers lowers the cost of entry for launching phishing operations.
- Legitimate branding: Domains ending in *.vercel[.]app or *.netlify[.]app inherit credibility from the platform’s reputation that the attackers can leverage.”
Employee training can give your organization an important layer of defense against social engineering attacks.
“Educate employees on how to spot captcha-based phishing attempts,” the researchers write. “This includes educating them to verify URLs before interacting with captchas, use password managers (which won’t autofill on phishing sites), and report suspicious pages.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.
Trend Micro has the story.
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
