Fake CAPTCHA Pages Abusing AI-Native Platforms Vercel, Netlify, and Lovable Surge Since January
Cybercriminals are exploiting AI-native development platforms like Vercel, Netlify, and Lovable to host fake CAPTCHA pages that trick users and evade security scanners, fueling a phishing campaign surge tracked by Trend Micro since January.
Since January, Trend Micro has tracked a sharp rise in phishing campaigns that abuse AI-native development platforms—Vercel, Netlify, and Lovable—to host fake CAPTCHA verification pages. These pages serve as a social engineering gateway, lowering victims' suspicion while bypassing automated security scanners that only see the challenge, not the hidden credential-harvesting redirect.
The attack chain typically begins with a spam email carrying an urgent subject line such as "Password Reset Required" or "USPS Change of Address Notification." Clicking the embedded URL leads to a page that mimics a legitimate CAPTCHA challenge. If the user completes the verification, they are silently redirected to a phishing page designed to steal Microsoft 365 credentials or other sensitive data. If the CAPTCHA is answered incorrectly, the page simply refreshes—no redirect occurs, further evading detection.
Trend Micro's analysis identified 52 malicious sites hosted on Vercel.app, 43 on Lovable.app, and 3 on Netlify.app. While Proofpoint previously highlighted Lovable's abuse, Trend's data shows Vercel hosts even more fake CAPTCHA pages. The researchers note that Vercel and Netlify have been around longer, making them more familiar to threat actors, while Lovable's "vibe coding" appeal attracts a different set of abusers.
The abuse exploits the very features that make these platforms attractive to legitimate developers: ease of deployment (minimal coding required, with AI assistants generating fake pages), free hosting tiers that lower the cost of launching phishing operations, and credible branding from domains like *.vercel.app or *.netlify.app that inherit the platform's reputation.
Activity escalated sharply from February to April, then subsided before spiking again in August. The fake CAPTCHA tactic works because it builds psychological trust—victims assume they are completing a routine step—and because automated crawlers and security tools often fail to follow the redirect to the actual phishing page.
Trend Micro recommends organizations educate employees to verify URLs before interacting with CAPTCHAs, use password managers that won't autofill on phishing sites, and adopt layered defenses that follow redirects. The report underscores how AI-powered development platforms, while driving innovation, also provide cybercriminals with scalable, low-cost infrastructure for phishing at scale.