{"id":12793,"date":"2025-08-21T20:11:45","date_gmt":"2025-08-21T20:11:45","guid":{"rendered":"https:\/\/usaontheweb.com\/clone1\/ai-website-builder-lovable-increasingly-abused-for-malicious-activity\/"},"modified":"2025-08-21T20:11:45","modified_gmt":"2025-08-21T20:11:45","slug":"ai-website-builder-lovable-increasingly-abused-for-malicious-activity","status":"publish","type":"post","link":"https:\/\/usaontheweb.com\/clone1\/ai-website-builder-lovable-increasingly-abused-for-malicious-activity\/","title":{"rendered":"AI website builder Lovable increasingly abused for malicious activity"},"content":{"rendered":"
\n

\"AI<\/p>\n

Cybercriminals are increasingly abusing the AI-powered Lovable website creation and hosting platform to generate phishing pages, malware-dropping portals, and various fraudulent websites.<\/p>\n

The malicious sites created through the platform impersonate large and recognizable brands, and feature traffic filtering systems like CAPTCHA to keep bots out.<\/p>\n

While Lovable has taken steps to better protect its platform from abuse, as AI-powered site generators increase in number, the barrier to entering cybercrime continues to drop.<\/p>\n

\n
\"CAPTCHA
CAPTCHA on a Lovable site<\/strong>
Source: Proofpoint<\/em><\/figcaption><\/figure>\n<\/div>\n

Lovable-powered campaigns<\/h2>\n

Since February, cybersecurity company Proofpoint “observed tens of thousands of Lovable URLs” that were delivered in email messages and were flagged as threats.<\/p>\n

In a report today, the researchers describe four malicious campaigns that abused the Lovable AI website builder.<\/p>\n

One example is a large-scale operation that relied on the phishing-as-a-service platform known as\u00a0Tycoon.\u00a0Emails contained Lovable-hosted links that opened with a CAPTCHA and then redirected users to fake Microsoft login pages featuring Azure AD or Okta branding.<\/p>\n

These sites harvested user credentials, multi-factor authentication (MFA) tokens, and session cookies through adversary-in-the-middle techniques. During the campaigns, the threat actor sent hundreds of thousands of messages to 5,000 organizations.<\/p>\n

\n
\"Phishing
Phishing site targeting Microsoft accounts<\/strong>
Source: Proofpoint<\/em><\/figcaption><\/figure>\n<\/div>\n

A second example was\u00a0a payment and data theft campaign that impersonated UPS, sending nearly 3,500 phishing emails with links that directed victims to phishing sites.<\/p>\n

The sites asked visitors to enter personal details, credit card numbers, and SMS codes, which were then sent to a Telegram channel controlled by the attacker.<\/p>\n

\n
\"Fake
Fake UPS site hosted on Lovable<\/strong>
Source: Proofpoint<\/em><\/figcaption><\/figure>\n<\/div>\n

The third is a cryptocurrency theft campaign that impersonated the DeFi platform Aave, sending out close to 10,000 emails via SendGrid.<\/p>\n

Targeted users\u00a0were led to Lovable-generated redirects and phishing pages designed to trick them into connecting their wallets, likely followed by asset drainage.<\/p>\n

\n
\"Lovable-hosted
Lovable-hosted redirect<\/strong>
Source: Proofpoint<\/em><\/figcaption><\/figure>\n<\/div>\n

The fourth case concerns a malware delivery campaign distributing the remote access trojan zgRAT.<\/p>\n

Emails contained links that led to Lovable apps posing as invoice portals, which delivered RAR archives hosted on Dropbox.<\/p>\n

The files included a legitimate signed executable alongside a trojanized DLL that launched DOILoader, ultimately loading zgRAT.<\/p>\n

Responding to the abuse<\/h2>\n

Lovable introduced real-time detection of malicious site creation in July, and also automatically scans published projects daily to spot and delete any fraud attempts.<\/p>\n

The developer also stated that it plans to introduce additional protections this fall, which would proactively\u00a0identify and block abusive accounts on the platform.<\/p>\n

Guardio Labs confirmed to BleepingComputer that Lovable can still be used to create malicious sites. In a recent test, the researchers generated a fraudulent site to impersonate a large retailer and encountered no objection from the platform.<\/p>\n

In a statement to BleepingComputer, Lovable says that their current strategy is to detect, prevent, and respond to cybercriminal efforts to create malicious apps or sites before they reach a wide audience.<\/p>\n

The company said that it implemented an AI-powered safety program to help with enforcing policies, block projects that violate policies.<\/p>\n

“Our support and safety team is always on watch. In the past two weeks alone, they\u2019ve taken down over 300 sites that violated our policies,” the company told BleepingComputer.<\/p>\n

A Lovable representative also said that the current system blocks around 1,000 unique projects that violate the platform’s rules, and that “Lovable will not tolerate illegal or malicious content.”<\/p>\n

Update [August 21]:<\/strong> We included a statement Lovable sent to BleepingComputer.<\/em><\/p>\n

\n

\n \"Picus\n <\/p>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"

Cybercriminals are increasingly abusing the AI-powered Lovable website creation and hosting platform to generate phishing pages, malware-dropping portals, and various<\/p>\n","protected":false},"author":7282,"featured_media":12794,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1166],"tags":[],"class_list":["post-12793","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-website"],"_links":{"self":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts\/12793","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/users\/7282"}],"replies":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/comments?post=12793"}],"version-history":[{"count":0,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts\/12793\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/media\/12794"}],"wp:attachment":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/media?parent=12793"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/categories?post=12793"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/tags?post=12793"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}