Researchers Spot Uptick in Use of Vercel for Phishing Campaigns
Cofense warns that low-skilled threat actors are increasingly abusing Vercel's generative AI platform v0.dev to create convincing phishing pages mimicking brands like Microsoft, Spotify, and Nike.
Security vendor Cofense has reported a significant uptick in phishing campaigns abusing Vercel's generative AI platform v0[.]dev. The platform, designed for legitimate web application development, rapid web application development, is being weaponized by minimally skilled threat actors to create highly convincing malicious sign-in pages that closely mimic well-known brands such as Microsoft, Spotify, Adidas, Ferrari, Louis Vuitton, and Nike. According to Cofense's analysis published on May 6, the ease of use and low cost of Vercel's services have dramatically lowered the barrier to entry for cybercriminals.
Vercel's v0[.]dev tool allows users to generate fully functional web pages through simple natural language text prompts. Threat actors can test various generative AI models for free before purchasing tokens to build their phishing pages. The platform's pro tier, which offers most features, costs just $20 per month. Vercel also provides hosting, eliminating the need for attackers to maintain their own phishing infrastructure. If a malicious site is taken down, the attacker can quickly recreate it using the same prompts, making takedown efforts less effective.
Cofense noted that the generative AI model adapts to user input, improving the quality of the phishing pages with each attempt. "Vercel's Gen AI combines all of the components of a phishing kit purchased on the dark web into a simple interface requiring just a few natural language text prompts which can be done by just one minimally skilled threat actor," the report stated. Integration with services like Telegram, AWS, Stripe, and xAI further expands the capabilities available to attackers.
The phishing campaigns observed by Cofense include fake Microsoft landing pages, Spotify emails, and fraudulent job postings for brands such as Adidas, Ferrari, Louis Vuitton, and Nike. Because the AI-generated pages are virtually flawless in appearance, traditional visual inspection may not reveal their malicious nature. Cofense urged security teams to train users to look for other indicators of phishing, such as unusual sender domains revealed by hovering over the display name, and a sense of urgency designed to socially engineer victims into responding.
While Vercel abuse has increased significantly, Cofense noted that other legitimate platforms, including DeepSite and BlackBox, are also being exploited by cybercriminals, though they do not offer the same level of branding, hosting, and integration as Vercel. The report highlights a broader trend of threat actors leveraging legitimate generative AI services to streamline their operations, reducing the need for technical expertise and dark web purchases.
To mitigate the report, Cofense advised organizations to report any malicious sites created on Vercel directly to the company for takedown. The findings underscore the dual-use nature of powerful AI development tools, which can accelerate both innovation and cybercrime. As generative AI platforms become more accessible, security teams must adapt their defenses to detect phishing campaigns that are increasingly sophisticated and difficult to distinguish from legitimate communications.