“On Lovable, attackers can use vibe coding to generate a fake captcha or phishing page, while Netlify and Vercel make it simple to integrate AI coding assistants in the CI/CD pipeline to churn out fake captcha pages,” said Trend Micro.
Other than ease of deployment requiring minimal technical skills, free hosting lowers the cost of launching phishing operations. Also, with domains ending *.vercel.app or *.netlify.app, attackers also inherit credibility from the platform’s reputation, which the attackers can leverage.
“Unlike traditional phishing pages, the AI-generated ones are a step up in speed and scale rather than using some new technical trick,” said Devroop Dhar, MD and co-founder at Primus Partners. “They can iterate and create brand-looking pages very quickly. Phishing sites used to take time to create, but now can be generated and cloned across many domains in minutes. That increases the volume of attacks and the chance that an employee will see a convincing fake.”
