Cybercriminals are increasingly abusing the AI-powered Lovable website creation and hosting platform to generate phishing pages, malware-dropping portals, and various fraudulent websites.
The malicious sites created through the platform impersonate large and recognizable brands, and feature traffic filtering systems like CAPTCHA to keep bots out.
While Lovable has taken steps to better protect its platform from abuse, as AI-powered site generators increase in number, the barrier to entering cybercrime continues to drop.
In a report today, the researchers describe four malicious campaigns that abused the Lovable AI website builder.
One example is a large-scale operation that relied on the phishing-as-a-service platform known asTycoon.Emails contained Lovable-hosted links that opened with a CAPTCHA and then redirected users to fake Microsoft login pages featuring Azure AD or Okta branding.
These sites harvested user credentials, multi-factor authentication (MFA) tokens, and session cookies through adversary-in-the-middle techniques. During the campaigns, the threat actor sent hundreds of thousands of messages to 5,000 organizations.
generated a fraudulent site to impersonate a large retailer and encountered no objection from the platform.
BleepingComputer has contacted Lovable to ask about the effectiveness of the existing anti-abuse measures on the platform, but a comment wasn’t immediately available.
Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.