AI-powered web builders enable criminals to create convincing phishing and scam sites (VibeScams) from simple prompts or screenshots, dramatically lowering the technical barrier and accelerating brand impersonation across many platforms. Researchers blocked roughly 140,000 AI-generated malicious sites (about 580 per day) between early 2025 and August 2025, affecting users worldwide including the U.S., France, Brazil, Germany, and Japan. #VibeScams #Coinbase
Keypoints
- AI web builders can recreate entire websites from a single prompt or screenshot, including layout, logos, and localized language, enabling near-identical brand impersonation.
- The phenomenon is dubbed “VibeScams” because attackers replicate the visual “vibe” (colors, spacing, logos, tiny footer links) to trick users without needing coding skills.
- Researchers identified misuse across numerous platforms (e.g., Lovable, Elementor, Flazio, Softr, Webflow, WebWave) and reported malicious sites to providers, who often responded quickly to remove them.
- Detected scam types include login phishing, fake e-shops, cryptocurrency exchange impersonations, and localized tech-support scams; roughly half were credential-phishing pages and ~25% targeted crypto.
- Testing showed convincing results using free tiers of builders; attackers can add credential exfiltration via paid features or additional LLMs after downloading designs.
- From early 2025 to August 2025, about 140,000 AI-generated malicious websites were blocked (~580 per day), and nearly 190,000 users were protected, with global distribution of impact.
- Mitigations include verifying official sites, using unique passwords and MFA, employing reputable AV or AI-powered scam protection, and reporting suspicious sites to providers.
MITRE Techniques
- [T1192] Spearphishing via Service – Attackers create convincing impersonation sites (e.g., “auth-coinbase-login.typedream[.]app”) to harvest credentials by mimicking legitimate services (“…these pages pass the ‘vibe check’… trick people into handing over credentials…”).
- [T1608] Stage Capabilities (Acquire Infrastructure) – Use of AI web builders and hosting/subdomains to rapidly generate and host phishing infrastructure (“…AI web builders also offer hosting for the generated webpages… attacker can use… APIs… making the whole process more automatic”).
- [T1598] Phishing via Masquerading – Brand impersonation and typosquatting to mimic trusted brands and URLs (“…brand impersonation… attackers are choosing similarly looking names, with one or more changed characters in the URL”).
- [T1588] Phishing via Web Forms – Use of generated sites to collect credentials or payments, often augmented by additional functionality like credential exfiltration (“…For phishing and scam sites to work properly, there also needs to be some functionality provided, for example credentials exfiltration”).
- [T1595] Active Scanning – High-volume automated creation and relaunch of malicious pages to evade takedown and scale campaigns (“…attackers can quickly spin up new designs and relaunch new scams almost instantly… approximately 140,000 different AI-generated websites… roughly 580 new malicious generated websites every day”).
Indicators of Compromise
- [Domain ] Scam and phishing hosting examples – auth-binance.webflow[.]io, binance-cdn-auth.webflow[.]io
- [Domain ] Coinbase impersonation examples – coinbase-wallet-verify.replit[.]app, auth-coinbase-login.typedream[.]app
- [Domain ] Microsoft impersonation examples – microsoft-teams-login.elementor[.]cloud, updateaccount-microsoft.webflow[.]io
- [Domain ] Typosquatting and wallet impersonation examples – app—trrezor-wallet.webflow[.]io, connect-metamesk-wallet.typedream[.]app (and other similar typosquatted domains)
Read more: https://www.gendigital.com/blog/insights/research/vibe-scams