AI website builder Lovable increasingly abused for malicious activity
Cybercriminals are increasingly abusing the AI-powered Lovable website creation and hosting platform to generate phishing pages, malware-dropping portals, and various fraudulent websites.
The malicious sites created through the platform impersonate large and recognizable brands, and feature traffic filtering systems like CAPTCHA to keep bots out.
While Lovable has taken steps to better protect its platform from abuse, as AI-powered site generators increase in number, the barrier to entering cybercrime continues to drop.
Lovable-powered campaigns
Since February, cybersecurity company Proofpoint "observed tens of thousands of Lovable URLs" that were delivered in email messages and were flagged as threats.
In a report today, the researchers describe four malicious campaigns that abused the Lovable AI website builder.
One example is a large-scale operation that relied on the phishing-as-a-service platform known as Tycoon. Emails contained Lovable-hosted links that opened with a CAPTCHA and then redirected users to fake Microsoft login pages featuring Azure AD or Okta branding.
These sites harvested user credentials, multi-factor authentication (MFA) tokens, and session cookies through adversary-in-the-middle techniques. During the campaigns, the threat actor sent hundreds of thousands of messages to 5,000 organizations.
A second example was a payment and data theft campaign that impersonated UPS, sending nearly 3,500 phishing emails with links that directed victims to phishing sites.
The sites asked visitors to enter personal details, credit card numbers, and SMS codes, which were then sent to a Telegram channel controlled by the attacker.
The third is a cryptocurrency theft campaign that impersonated the DeFi platform Aave, sending out close to 10,000 emails via SendGrid.
Targeted users were led to Lovable-generated redirects and phishing pages designed to trick them into connecting their wallets, likely followed by asset drainage.
The fourth case concerns a malware delivery campaign distributing the remote access trojan zgRAT.
Emails contained links that led to Lovable apps posing as invoice portals, which delivered RAR archives hosted on Dropbox.
The files included a legitimate signed executable alongside a trojanized DLL that launched DOILoader, ultimately loading zgRAT.
Responding to the abuse
Lovable introduced real-time detection of malicious site creation in July, and also automatically scans published projects daily to spot and delete any fraud attempts.
The developer also stated that it plans to introduce additional protections this fall, which would proactively identify and block abusive accounts on the platform.
Guardio Labs confirmed to BleepingComputer that Lovable can still be used to create malicious sites. In a recent test, the researchers generated a fraudulent site to impersonate a large retailer and encountered no objection from the platform.
BleepingComputer has contacted Lovable to ask about the effectiveness of the existing anti-abuse measures on the platform, but a comment wasn’t immediately available.
