Vercel AI Tools Abused to Create Realistic Phishing Sites
Key Takeaways A surge in phishing attacks is leveraging Vercel’s AI-powered web development platform to create highly convincing fake login pages. The platform’s GenAI tool, v0.dev,...
Key Takeaways
- A surge in phishing attacks is leveraging Vercel’s AI-powered web development platform to create highly convincing fake login pages.
- The platform’s GenAI tool, v0.dev, allows attackers to generate realistic web pages from simple text prompts, significantly lowering the technical barrier for launching sophisticated phishing campaigns.
- Cybersecurity firm Cofense has observed a sharp increase in Vercel-based phishing since 2022, with the trend continuing into 2025.
- The ease of use, low cost, and automation provided by Vercel, including integration with Telegram for real-time credential theft, make it a potent tool for threat actors.
- Traditional security awareness training focusing on typos is outdated; users must now meticulously verify URLs, and organizations should monitor Vercel subdomains and report malicious sites.
A disturbing trend in cybercrime reveals that threat actors are increasingly exploiting Vercel, an advanced AI-driven web development platform, to streamline sophisticated credential theft operations. Attackers are leveraging Vercel’s robust capabilities to rapidly construct highly deceptive fake login pages that meticulously mimic legitimate websites, as detailed in a recent analytical report.
Table Of Content
This accessible and cost-effective methodology has dramatically expanded the pool of potential attackers, enabling individuals with limited technical expertise to execute highly effective phishing campaigns previously only achievable by more skilled operators.
Vercel’s generative AI tool, v0.dev, is at the core of this exploitation. This tool can produce fully functional web pages from straightforward text commands. For instance, a threat actor can simply input “create a Microsoft sign-in page with official logos and colors,” and the AI will generate a functional replica within moments.
The implications are significant: individuals lacking deep technical knowledge can now readily deploy phishing campaigns that appear almost indistinguishable from authentic corporate login interfaces.
Cofense, a cybersecurity firm specializing in phishing defense, has actively tracked a substantial increase in Vercel-based phishing campaigns since 2022. Their analysts have noted the platform’s deployment across a spectrum of attacks, varying in skill and complexity. Data indicates a persistent upward trajectory in Vercel abuse, showing no signs of abatement as of 2025.
The gravity of this threat stems from its ability to effortlessly supplant conventional phishing infrastructure. Historically, threat actors were burdened with establishing their own hosting servers, procuring phishing kits from illicit online marketplaces, and managing complex backend systems. Vercel consolidates these disparate tasks, handling hosting, deployment, and page generation within a single integrated environment.
The ramifications extend beyond individual users, posing a significant risk to organizations of all sizes. Attackers are actively spoofing prominent brands that employees routinely interact with, including major entities like Microsoft, Spotify, and various popular job platforms.
Vercel Enables Mass Phishing
Vercel’s GenAI tool introduces an unprecedented level of automation to phishing operations. Each prompt submitted to the AI generates a slightly varied output, allowing threat actors to continuously produce new versions of phishing pages without needing to craft entirely new prompts. If a malicious site is detected and taken down, a fresh one can be generated with minimal effort.
Furthermore, the platform’s integration with Telegram via its Bot API allows attackers to receive real-time notifications when victims submit credentials. This Telegram bot actively monitors the Vercel-hosted page and transmits stolen login information directly to the attacker’s account. This combination transforms what was once a multi-tool, technically demanding process into an almost fully automated operation.
Cofense analysts have documented specific campaigns where attackers impersonated hiring managers for globally recognized brands such as Adidas, Nike, Ferrari, and Louis Vuitton. These sophisticated phishing emails mimicked legitimate job offers and interview invitations, directing victims to fabricated career pages that subsequently led to fraudulent Facebook or Google login portals. All these deceptive pages were meticulously constructed using Vercel’s GenAI product.

In one particularly convincing incident, attackers engineered a Spotify login page that perfectly replicated the authentic site’s logos, color scheme, and layout.

Upon victims submitting their credentials, the fraudulent page not only forwarded the stolen information to the attacker but also redirected users to a secondary page requesting credit card details, maximizing the potential for financial fraud.
What You Should Do
- Verify URLs Meticulously: Always inspect the full URL in the browser’s address bar before entering any login credentials. Even a pixel-perfect replica cannot mask a fraudulent domain. Look for subtle misspellings or unexpected subdomains.
- Update Security Awareness Training: Traditional advice about spotting typos and formatting errors is largely obsolete. Training should emphasize URL verification, the dangers of unexpected login prompts, and the importance of directly navigating to official websites.
- Implement Multi-Factor Authentication (MFA): MFA adds a critical layer of security, making it significantly harder for attackers to gain access even if they steal credentials.
- Monitor for Vercel Subdomains: Security teams should configure email gateways and network monitoring tools to flag or block inbound links containing “vercel.app” subdomains, as these are common indicators of hosted phishing pages.
- Report Malicious Sites: Users and organizations should promptly report any suspected malicious Vercel-hosted sites directly to Vercel for swift takedown.
- Stay Informed: Continuously update threat intelligence and ensure staff are educated on the latest phishing techniques and emerging attack patterns.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.