Low-skilled threat actors are abusing legitimate generative AI (Gen AI) platforms in growing numbers to create highly convincing phishing campaigns, Cofense has warned.
The security vendor said that it has observed a number of campaigns based around v0[.]dev, a powerful GenAI tool provided by web application development specialist Vercel.
“This AI tool is the driving force behind the malicious sign-in pages created by attackers. With just a few text prompts v0[.]dev can create a fully functioning malicious site that completely resembles real-life brands,” it explained in an article published on 6 May.
“Although Vercel has created a genuinely useful and innovative platform, threat actors are taking advantage of the platform and are abusing it for malicious gain.”
There are several reasons why “minimally skilled” threat actors are turning to platforms like Vercel, according to the report.
The most obvious is that they’re remarkably simple to use. Users can apparently test Vercel’s various Gen AI models for free, before purchasing “tokens” to actually build their phishing pages.
Cofense said the Vercel's pro tier offers most features for a minimum cost of $20 per month.
Vercel also provides hosting so threat actors don’t have to pay for their own phishing infrastructure, and if a site gets taken down it’s easy to start again.
“The Gen AI model adapts with the user’s input, creating better web pages with each attempt. With everything in Vercel being hosted in the cloud, creating and tearing down content is much easier,” Cofense claimed.
“Vercel’s Gen AI combines all of the components of a phishing kit purchased on the dark web into a simple interface requiring just a few natural language text prompts which can be done by just one minimally skilled threat actor.”
Integration with Telegram, AWS, Stripe and xAI provide useful options for would-be threat actors.
Cofense stressed that, while Vercel abuse “has increased significantly over time,” other legitimate platforms are also being used by cybercriminals. These include DeepSite and BlackBox – although they don’t provide the same level of branding, hosting, and integration as Vercel, Cofense claimed.
Pushing Back Against a Surge in Phishing
Cofense claimed to have observed a variety of phishing campaigns that used Vercel Gen AI tools, including Microsoft landing pages, Spotify emails and fake job postings for the likes of Adidas, Ferrari, Louis Vuitton and Nike.
Given that the pages themselves are virtually flawless, Cofense urged security teams to push users to look for other signs that they may be malicious.
Hovering over the display name might reveal an unusual sender domain, for example. Phishing emails usually also try to socially engineer victims into responding by creating a sense of urgency.
Cofense also urged organizations to report any malicious sites created in Vercel directly to the firm for takedown.