Security firm Okta revealed that cybercriminals have been leveraging Vercel’s v0 generative artificial intelligence tool to generate convincing phishing websites from straightforward prompts.

The AI platform was utilized to clone sign-in pages for several well-known brands, such as Microsoft 365 and various crypto companies.

Vercel’s AI model aims to assist web developers in creating complex web interfaces through natural language instructions. However, Okta identified that malicious actors are using the tool to develop phishing sites. Moreover, there are publicly accessible GitHub repositories with detailed guides on how to replicate the v0 application for building one’s own AI-driven phishing tools.

Tools at Their Disposal

This type of collaboration among bad actors is part of a concerning trend. Additionally, more platforms offering cybercrime-as-a-service have emerged, enabling criminals to purchase pre-made ransomware, Distributed Denial of Service (DDoS), and other forms of malware.

With these tools at their disposal after gaining access to an organization’s systems—a task often accomplished through phishing—they can inflict considerable damage. Once inside, bad actors can employ a wide range of technologies to carry out attacks.

Taking Phishing to New Heights

While many cybercriminals initially focused on creating deepfakes using AI, they have rapidly adapted their methods. This evolution is driven by the lack of regulatory and operational constraints that businesses—especially financial institutions—face, allowing them to more easily integrate AI into their attacks.

Vercel’s manipulated platform has pushed phishing efforts to new levels, as the AI model excels at producing highly realistic sites. Traditionally, part of defending against phishing involved educating users about common indicators such as typos or fake domains—deficiencies that v0-created websites do not have.

While user education remains crucial, organizations must now implement stronger authentication methods to ensure only authorized individuals gain access to systems. This involves rigorous verification and treating authentication as an ongoing process to protect against unauthorized access.