The Phishing Trap: How AI Tools Are Weaponized for Fake CAPTCHA Scams
Artificial intelligence has made web development accessible to the masses: today, even those without programming skills can build a website or application using AI-powered services. These platforms enable projects to launch with remarkable speed and ease—but that very simplicity has also become a convenient weapon for cybercriminals. Trend Micro has recorded a sharp rise in attacks where such services are exploited to host fake CAPTCHA verification pages, which serve as the opening stage of phishing campaigns.
Attackers lure victims with emails containing standard triggers such as password reset notices or “delivery address changes.” Following the link leads to a page mimicking the familiar “I’m not a robot” check. This tactic operates on two fronts: first, users are less suspicious when performing such a routine action; second, automated scanners often register only the CAPTCHA and fail to reach the concealed credential-harvesting form. Once the CAPTCHA is solved, the victim is redirected to a phishing page designed to steal passwords and other sensitive data. Some fraudulent login forms were even styled to imitate Microsoft 365.
Investigations revealed that AI development platforms are ideally suited for such abuse. With low-code or no-code tools, attackers can quickly assemble counterfeit pages, and some providers even allow template generation within CI/CD pipelines. Free hosting further reduces costs, while domains ending in .vercel.app and .netlify.app borrow credibility from the platforms’ reputations. According to Trend Micro, activity has been steadily increasing since January, with a pronounced surge from February through April and another spike in August. In total, researchers identified 52 malicious sites on Vercel, 43 on Lovable, and 3 on Netlify. Proofpoint had previously reported similar abuse, focusing primarily on Lovable, but the new data highlights Vercel as the leading vector.
Fake CAPTCHAs are especially attractive to attackers because they create an illusion of standard security checks while simultaneously bypassing detection mechanisms. This combination makes the scheme particularly effective. To reduce risks, experts advise training employees to carefully inspect URLs before interacting with web pages, using password managers that refuse to autofill credentials on unverified sites, and deploying tools capable of analyzing redirect chains to block abused domains.
Equally important is monitoring traffic to subdomains of trusted platforms, with automated alerts and reports sent to service providers when abuse is detected. Organizations should also implement advanced email filters that can detect suspicious attachments and links before they reach a user’s inbox.
The growing wave of fake CAPTCHA pages demonstrates just how easily generative platforms can be twisted into instruments of cybercrime. What appears to be a harmless verification step can, in reality, conceal a highly effective phishing mechanism—one that exploits the very technologies designed to empower legitimate developers.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
