How AI-Native Development Platforms Enable Fake Captcha Pages

AI-powered hosting platforms: A double-edged sword

Platforms like Lovable, Netlify, and Vercel are designed to simplify development and lower barriers to entry. Unfortunately, the same strengths that empower developers can also be exploited by attackers:

• Ease of deployment: Minimal technical skills are required to set up convincing fake captcha sites. On Lovable, attackers can use vibe coding to generate a fake captcha or phishing page, while Netlify and Vercel make it simple to integrate AI coding assistants in the CI/CD pipeline to churn out fake captcha pages.
• Free hosting: The availability of free tiers lowers the cost of entry for launching phishing operations.
• Legitimate branding: Domains ending in *.vercel.app or *.netlify.app inherit credibility from the platform's reputation that the attackers can leverage.

By the numbers

Our analysis of abuse across the three platforms reveals the following distribution of cybercriminal activity:

• Vercel.app - 52 sites
• Netlify.app - 3 sites
• Lovable.app - 43 sites

While Proofpoint previously covered the abuse of AI-driven site builders, their findings emphasized Lovable. Meanwhile, Trend data shows that Vercel, in particular, hosts even more fake captcha pages. While Lovable is more popular for vibe coders, Vercel and Netlify have been around longer, and threat actors might be more familiar with them.

We first observed the abuse of AI-powered web development platforms to host fake captcha pages in January, with activity escalating sharply from February to April. Although the spam volume subsided in the following months, August saw a renewed spike in these types of phishing campaigns.