Fraudsters are massively hosting fake CAPTCHAs on AI platforms to trick users into phishing

Trend Micro researchers have seen a surge in phishing campaigns in which AI development platforms (including Lovable, Netlify, Vercel**) are used to host **fake CAPTCHA pages. Such pages mislead users, reduce vigilance, and at the same time avoid triggering automatic security scanners.

A typical scenario begins with a spam email with an urgent message — like *Password Reset Required* or *USPS Change of Address Notification*. By clicking on the link, the victim ends up on a supposedly secure “I’m not a robot” verification page.

• After passing the “verification,” the user is redirected to a real phishing form, where credentials and other sensitive information are collected.

• To antiviruses and scanners, the first page looks safe (only the CAPTCHA is displayed), so the likelihood of blocking is reduced.

• Running such fake CAPTCHAs requires minimal skills: “vibe-coding”/AI-assistants are enough to quickly stamp pages on popular hosting.

Trend Micro emphasizes: services that fairly stimulate innovation for legal developers, at the same time provide scale and low cost for cybercriminals.

What organizations and users should do:

• Check URLs before interacting with any CAPTCHA;

• Use password managers without autofill on unfamiliar sites;

• Report suspicious pages and train employees to recognize such chains.

CAPTCHA is a basic “human or bot” check, one of the most massive barriers against automated abuse. AI-native platforms have simplified the creation and hosting of web pages without deep coding, which is what phishers use: Lovable allows you to quickly build and publish applications, Netlify and Vercel are positioned as platforms for modern (including AI-enhanced) development. Since January, researchers have been tracking a series of campaigns where these services are used as a starting “showcase” with a fake CAPTCHA.

Fake CAPTCHA from “AI–dev” hosting has become a new entry point for phishing: it simultaneously dulls the user’s attention and masks artifacts from scanners. Companies need link verification procedures, password manager policies, training and reporting, and hosting providers need proactive abuse filters and rapid moderation. Users should treat CAPTCHA as a neutral screen, not a security marker: trust only the domain, not the “checkmark”.