Since January, Trend Micro has tracked a surge in phishing campaigns using AI-powered platforms (Lovable, Netlify, Vercel) to host fake captcha pages that lead to phishing websites. This ploy misleads users and evades security tools.
Victims are first shown a captcha, lowering suspicion, while automated scanners only detect the challenge page, missing the hidden credential-harvesting redirect.
Attackers exploit the ease of deployment, free hosting, and credible branding of these platforms. Defenders should train employees to recognize captcha-based phishing, adopt layered defenses that follow redirects, and monitor trusted hosting domains for abuse.
Artificial intelligence has revolutionized web development, empowering even novice users to create professional-looking websites.
Tools like Lovable enable anyone to build and host applications with little to no coding knowledge, while Netlify and Vercel position themselves as AI-native development platforms.
However, cybercriminals are increasingly exploiting these services to create and host fake captcha challenge websites, which serve as entry points for sophisticated phishing campaigns.
Since January, Trend Micro has observed a sharp rise in fake captcha pages hosted on Lovable.app, Netlify.app, and Vercel.app.
These scams pose a dual threat: they mislead unsuspecting users and simultaneously evade the automated security systems designed to detect and block phishing sites.
By presenting a routine-looking captcha challenge, attackers lower user suspicion and conceal the true intent of the page.
The Social Engineering Ploy
These phishing campaigns typically begin with spam emails carrying urgent messages such as “Password Reset Required” or “USPS Change of Address Notification,” leveraging familiar templates to lure targets.
When a victim clicks the embedded link, they are directed to what appears to be a harmless captcha verification page. This two-stage ruse functions in two critical ways: delaying suspicion and evading detection.
First, by presenting a captcha challenge, victims assume they are completing a legitimate verification step and are less likely to question the authenticity of the page.
Second, automated scanners crawling the page encounter only the captcha form, not the underlying credential-harvesting mechanism.
As a result, scanners often fail to flag these pages as malicious. Once the captcha is correctly solved, the victim is silently redirected to the real phishing page, where their credentials and other sensitive data are harvested.
Platforms like Lovable, Netlify, and Vercel are designed to simplify development and lower barriers to entry. Unfortunately, the same strengths that empower developers can also be exploited by attackers:
- Ease of Deployment: Minimal technical skills are required to set up convincing fake captcha sites. On Lovable, attackers can use AI-driven “vibe coding” to generate a fake captcha or phishing page, while Netlify and Vercel make it simple to incorporate AI coding assistants directly into the CI/CD pipeline.
- Free Hosting: The availability of free tiers lowers the cost of launching phishing operations at scale.
- Legitimate Branding: Domains ending in *.vercel.app or *.netlify.app inherit credibility from the platform’s reputation, making suspicious links appear trustworthy to victims.
Trend Micro’s analysis of abuse across the three platforms reveals that Vercel hosts the highest number of fake captcha sites, followed closely by Lovable, with Netlify trailing behind.
While Proofpoint previously highlighted Lovable as the primary victim of abuse, Trend Micro data shows that Vercel accounts for the majority of these malicious deployments, reflecting the platform’s popularity and the attackers’ familiarity with it.
Mitigating the Threat
The rise of fake captcha phishing highlights how attackers can weaponize AI-powered website creation platforms. To mitigate this risk, organizations should implement a combination of training, technology, and monitoring:
First, employee education must emphasize how to spot captcha-based phishing attempts. Employees should be trained to verify URLs before interacting with any captcha and to rely on password managers, which will not autofill on unauthorized sites.
Second, organizations should deploy layered defenses capable of analyzing redirect chains and evaluating outbound connections.
Solutions such as behavior-based AI protection can detect and block domains known for abuse, even if they appear legitimate at first glance.
Third, security teams must monitor trusted hosting domains by setting automated alerts for spikes in subdomain traffic, correlating web logs with threat intelligence feeds, and reporting malicious instances to hosting providers for takedowns.
Finally, a robust email security solution can proactively scan and block suspicious messages, preventing phishing emails from reaching employee inboxes.
As this campaign illustrates, what appears to be a harmless captcha challenge may actually be the gateway to a highly effective phishing trap.
Vigilance and a defense-in-depth strategy are essential to stay ahead of adversaries who leverage AI-powered platforms for malicious purposes.
- captcha200[.]netlify.app
- adobepdfonlinereadercaptcharobot[.]netlify.app
- captchaweb3[.]netlify.app
- basvursana2025hemen[.]vercel.app
- web-orpin-xi[.]vercel.app
- web-pnrf[.]vercel.app
- captcha-link-gateway[.]lovable.app
- captcha-math-linker[.]lovable.app
- captcha-office-redirect[.]lovable.app
- get-new-pass[.]lovable.app
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
