The Dark Side of Automation: How a Website Builder Became a Phishing Machine
The website automation platform Lovable has found itself at the center of widespread abuse. Researchers from Proofpoint have documented a sharp increase in cases where its features, originally intended for legitimate web projects, were instead exploited for phishing attacks, malware distribution, and data theft. A tool designed to simplify the rapid creation of websites has become a weapon in the hands of cybercriminals, lowering the technical barrier to entry for illicit activity.
Since February, analysts have identified tens of thousands of malicious links hosted through Lovable that were distributed via email. They detailed four major campaigns in which the service played a pivotal role. In the first, attackers leveraged the Tycoon phishing-as-a-service infrastructure.
Victims who clicked on embedded URLs were first presented with a protective CAPTCHA page before being redirected to a fraudulent Microsoft portal branded with Azure AD or Okta logos. These sites harvested logins, two-factor authentication codes, and session cookies using man-in-the-middle techniques. During the campaign, hundreds of thousands of emails were sent to over 5,000 organizations.
In a second campaign, criminals impersonated UPS, distributing around 3,500 emails that led to fake delivery pages prompting users to enter personal details, banking card numbers, and one-time SMS codes. The stolen data was immediately funneled into a Telegram channel controlled by the attackers.
A third scheme targeted the cryptocurrency sector. Adversaries impersonated the DeFi platform Aave, sending roughly 10,000 messages via SendGrid. Clicking the embedded links brought victims to Lovable-hosted pages that persuaded them to connect their crypto wallets, opening the door to subsequent asset theft.
The fourth campaign involved the delivery of the zgRAT remote access trojan. Attackers distributed RAR archives disguised as invoices, hosted on Dropbox, containing a legitimate signed executable alongside a malicious DLL. Executing the file triggered the DOILoader, which then deployed zgRAT.
In response to the escalating abuse, Lovable’s developers introduced real-time monitoring of suspicious sites in July and began daily scans of published pages to block fraudulent projects. Additional safeguards to prevent the creation of criminal accounts are slated for rollout in the fall.
However, testing by Guardio Labs revealed that these defenses remain inadequate. Researchers were able to create a counterfeit site mimicking a major retailer in a matter of minutes without encountering resistance from the platform. As of now, Lovable has not issued a statement regarding the effectiveness of its recently deployed measures.
