Cybercriminals Abuse Vibe Coding Service to Create Malicious Sites – Source: www.proofpoint.com

3 Min Read

Source: Alon Harel, via Alamy Stock Photo

Cybercriminals are increasingly abusing vibe coding startup Lovable to quickly create malicious websites for phishing attacks, crypto scams, and other threats.

Lovable, based in Stockholm, Sweden, launched its generative AI-powered vibe coding platform in late 2024 to help users easily build applications and websites. The startup has become a rising star in the AI-generated coding space; just last month, Lovable announced a $200 million investment round and a valuation of $1.8 billion.

But in the short amount of time since its launch, Lovable has also become a preferred tool for many cybercriminals. Proofpoint researchers say they have observed “tens of thousands of Lovable URLs” in detections for malicious activity since February.

“Proofpoint has observed numerous campaigns leveraging Lovable services to distribute multifactor authentication (MFA) phishing kits like Tycoon, malware such as cryptocurrency wallet drainers or malware loaders, and phishing kits targeting credit card and personal information,” Proofpoint researchers wrote in a blog post published Wednesday.

Proofpoint’s research is the latest evidence of threat actors embracing large language models (LLMs) and other AI tools to craft more effective attacks. The researchers said that while they have thus far observed “little impact” from LLM-created scripts and emails, some tools can lower the barrier of entry into cybercrime; in the case of Lovable, low-skill attackers can use the service to create convincing and effective websites in a matter of minutes.

Related:Bridgestone Americas Confirms Cyberattack

AI-Powered Phishing, Malware, and Crypto Scams

Proofpoint researchers detailed several campaigns that used Lovable to generate malicious websites. One was a massive campaign featuring hundreds of thousands of messages that used file sharing themes for credential phishing attacks. The messages, which affected more than 5,000 organizations, featured Lovable URLs that presented captcha challenges that, if solved, sent users to a fake Microsoft authentication page.

According to the Proofpoint blog, the fake authentication portals presented as the user’s organization Azure Active Directory or Okta branding and harvest credentials, MFA tokens, and session cookies by using an adversary-in-the-middle (AiTM) technique, combined with by the Tycoon phishing-as-a-service (PhaaS) platform. 

Another campaign observed in June impersonated United Parcel Service and featured 3,500 messages designed to harvest payment and personal data. The lures, based on typical shipping and logistics notification themes, were sent through Zoho Forms and included Lovable URLs that mimicked the widely known shipping company.

Related:Blast Radius of Salesloft Drift Attacks Remains Uncertain

“The website impersonated UPS, which included functionality to collect personal information and credit card details, including SMS code harvesting. It then posted the stolen details to a Telegram channel,” Proofpoint researchers wrote, adding that the malicious site was based on the “ups-flow-harvester” project on Lovable. 

Proofpoint said it reported the threat campaigns to Lovable, which then “matched them with a cluster of credential phishing previously discovered by Lovable’s Trust and Safety team, as well as novel malicious sites.” According to the research team, a credential phishing cluster with hundreds of domains was taken down by Lovable the same week.

Additionally, Lovable this week unveiled several new security protections designed to prevent fraud and abuse. They include Security Checker 2.0, which the company called “a major upgrade to our security review capability,” and an AI-powered platform safety program that blocks approximately 1,000 malicious projects each day.

In a lengthy statement to Dark Reading, a Lovable spokesperson said the company responded to Proofpoint’s research and said it’s taken several actions, including the AI-powered platform safety program, to reduce malicious activity.

Related:Iran MOIS Phishes 50+ Embassies, Ministries, Int’l Orgs

“Lovable has been investing significant resources into enhancing trust and safety on the platform. As any platform that offers hosting and development capabilities, we are dealing with a certain number of malicious actors that find opportunities to use technology for harming others,” the spokesperson said. “Our message is clear: Lovable will not tolerate illegal or malicious content. We’re committed to making Lovable a safe, trusted space for everyone.”

About the Author