AI-powered development platforms are being used to host fake CAPTCHA pages that evade detection and deceive users, leading them to phishing websites, researchers have found.
CAPTCHAs, the “I’m not a robot” puzzles verifying real online users, are one of the most common ways to combat the armies of bots online.
However, a fresh report from cybersecurity firm Trend Micro suggests that this particular verification method has now been introduced to AI-powered web development and turned into a phishing enabler.
Researchers say that since January, they’ve tracked a surge in phishing campaigns using AI-powered platforms such as Lovable, Netlify, or Vercel to host fake CAPTCHA pages that lead to phishing websites. These types of ploys mislead users and evade security tools.
“Tools like Lovable enable anyone to build and host applications with little to no coding knowledge, while Netlify and Vercel position themselves as AI-native development platforms,” said Trend Micro in the report.
“However, cybercriminals are increasingly exploiting these services to create and host fake CAPTCHA challenge websites, which serve as entry points for phishing campaigns.”
Typically, the phishing campaigns begin with spam emails carrying urgent messages such as: “Password Reset Required” or “USPS Change of Address Notification.” These standard tactics are a staple of these types of attacks.
After clicking the embedded URL, targeted users see a seemingly harmless CAPTCHA verification page. This makes the victims lower their guard because they are much less likely to think the page is malicious.
The ruse also functions in another way: automated scanners crawling the page encounter only a CAPTCHA, not the underlying credential-harvesting form, reducing the likelihood of the scam being flagged.
Once the CAPTCHA is completed, the victim is redirected to the actual phishing page, where their credentials and other sensitive data can be stolen.
What makes the issue worse is that setting up convincing fake CAPTCHA sites requires minimal technical skills – vibe coding or integrating AI coding assistants are all that’s needed to churn out these pages.
“While these services drive innovation for legitimate developers, they can also provide cybercriminals with the tools to launch phishing attacks at scale, quickly and at minimal cost,” said Trend Micro.
Researchers add that organizations should educate employees to verify URLs before interacting with CAPTCHAs, use password managers without autofill, and simply report suspicious pages.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked