VibeScams: How AI website builders are shaping the internet

Welcome to the era of VibeScams, where creating a phishing site takes just a few clicks. Using simple prompts, scammers can create nearly any type of website almost instantly, without any prior knowledge. Some web-building platforms recreate an entire site from a screenshot provided by the scammer – from a home page to a shopping cart. They typically also allow perfect language localization, letting scammers instantly clone a legitimate site’s look and feel in multiple languages. 

This new wave of AI-driven web building tools has dramatically lowered the barrier to entry for cybercriminals, democratizing access to sophisticated site cloning and scam operations. No longer limited to those with knowledge of HTML, CSS, and JavaScript, these platforms allow anyone with an internet connection to replicate trusted brands, banking portals, or exchange interfaces with alarming fidelity. The ease and speed of this process not only accelerate the proliferation of fraudulent websites but also makes it increasingly difficult for users to distinguish between genuine and malicious websites.  

A new kind of phishing — VibeScams 

We call them VibeScams because the trick isn’t in the code alone — it’s in the feeling. These pages pass the “vibe check”: the right colors, spacing, logo placement, and tiny footer links people trust at a glance. Because AI web builders can recreate that look from a single prompt or screenshot, attackers don’t need coding skills — they only need to get the vibe right. That’s enough to trick people into handing over credentials or cash, and it’s why this wave of scams spreads so fast. 

As part of our research for this article, we contacted the web builders which attackers leverage more prevalently, according to our detections. We would like to share our appreciation for those companies, including Lovable, Elementor, Flazio, Softr, Webflow, WebWave, among others, for their fast reactions, quick banning of the websites, and overall cooperation. We would like to encourage anyone who stumbles upon suspicious or malicious websites to also report them to the specific providers. It matters and makes a difference. 

VibeScams as an Evolution of Phishing 

AI-powered web builders make it easy for anyone—even without coding or design skills—to create professional-looking websites quickly and cheaply. By automating templates, layouts, and even content, these tools lower barriers and speed up development, but they also give attackers the same advantages, enabling scams and phishing campaigns with minimal effort. The process of using such a web builder is so intuitive and user-friendly, it’s familiar to almost everyone. Individuals are typically presented with a simple screen containing a textbox, prompting users to immediately fill in a few lines of instructions to build their dream website. Below, you can find an example of a prompt screen from Lovable, one of the popular AI web building platforms: 

AI chatbots always have been constrained in the space what the chatbot allows the user to prompt for. These security mechanisms, which are called “guardrails,” serve as a control system to detect malicious, harmful, or otherwise inappropriate prompts and block the associated responses. However, as we will see in the below examples of impersonating reputable brands, these mechanisms are frequently insufficient. 

As is typical with phishing and scams, attackers tend to focus on brands, topics or products that are already popular. Typical scam sites include cryptocurrency exchanges, investment portals, banking sites, social media platforms, delivery services, shopping sites and much more. 

Below, you can find a couple of examples of scam and phishing sites we observed hosted on many of these platforms, all AI generated. Other examples we discovered included MetaMask, DHL and AT&T, among many others.  

From cryptocurrency exchanges to fake e-shops and login pages, we’ve also seen other typical types of scams  – such as tech-support scams. As can be seen below, in this case, it was recreated using an AI web builder and even localized into German. The attacker likely just uploaded a screenshot of a traditional scam page and asked the AI to rebuild and host it, making the whole process effortless. 

While talking about brand impersonation, which is an attempt to mimic the design, logos, content, and URL of a well-known and respected brand, we’ve observed multitude of additional cases using AI web builders. This way the user is easily tricked into believing the website they visited is the official website of the brand. A few examples of brand impersonation of well-known crypto exchange platforms can be found below. Note that none of these are legitimate websites of known cryptocurrency exchanges or login sites for that matter, all of them are either phishing or otherwise scam websites: 

• auth-binance.webflow[.]io
• binance-cdn-auth.webflow[.]io
• coinbase-wallet-verify.replit[.]app
• coinbase-wallet.squarespace[.]com
• auth-coinbase-login.typedream[.]app
• chrome-coinbase-extension.typedream[.]app
• wallet-coinbase.typedream[.]app
• microsoft-teams-login.elementor[.]cloud
• microsoft-outlookserver.odoo[.]com
• cz-microsoft.webflow[.]io
• updateaccount-microsoft.webflow[.]io 

Typosquatting is very typical as well. This means the attackers are choosing similarly looking names, with one or more changed characters in the URL: 

• app—trrezor-wallet.webflow[.]io
• app-atomiic-wallet.webflow[.]io
• coiinbase-com-wallet.typedream[.]app
• connect-metamesk-wallet.typedream[.]app 

A broader list of IoCs can be found in our GitHub. 

Scam Types – Breakdown 

Nearly half of the detected websites were traditional phishing pages impersonating familiar login portals like Microsoft, Gmail, or Amazon. About a quarter targeted the cryptocurrency space—either by mimicking popular exchanges such as Coinbase, Binance, and MetaMask, or by promoting cryptocurrency-based investment scams. The remainder included more general scams and other malicious pages. 

Our Testing 

During our research, we took this opportunity to try a few web builders ourselves, to see how easy it actually is to create a website resembling known brands. We also used only free versions of the web builders to see what the baseline looks like. 

You can see our results in a few examples below: 

In our opinion, the AI generated testing websites look fairly convincing and they took no money and almost zero effort to create. That’s because we didn’t want to kill the vibe, so we also created all the testing prompts using AI and simply copy and pasted them into the AI web builders. In most cases, we didn’t need any further prompting or tweaking. 

Note that what we generated here are only the designs. For phishing and scam sites to work properly, there also needs to be some functionality provided, for example credentials exfiltration. Additional functionality like this is commonly offered in paid subscriptions of the web builders, or the attacker can use once again other LLMs to implement this directly into the code because in a lot of cases they can download the design locally and continue the work from there. 

This demonstration directly showed us the core of why the attackers are using this – they don’t need to understand web at all to create highly believable websites for free (we only used free versions of the web builders). 

Pricing models 

In general, we consider these services to be cheap since there is quite a bit of competition and the user/attacker has plenty of choices to try, even for free. The fact that the attacker requires almost no skill to create a scam or phishing website highly outweighs the costs here. 

The range of paid offers is vast, spanning from $0.5 per month to $500 per month, with a variety of free tiers and/or trial periods. Some of the providers also offer lifetime deals for $249 or $599. 

Many of these subscriptions use a relatively common credits-based model where the customer receives credits which they can use for the AI prompts. Additional aspects, since many of the web builders also offer hosting for the generated webpages, are the website limit, subdomain name selection and the ability to change the subdomain name in the future. 

Finally, some of the web builders also offer APIs that can be used for streamlining the webpage creation, making the whole process more automatic. 

The Impact 

It’s important for defenders and analysts to recognize just how accessible and varied these platforms have become. Because the barrier to entry is so low and payment models are flexible, we’re seeing a rapid growth in the number of AI-generated scam and phishing websites. This massive availability means the attackers can quickly spin up new designs and relaunch new scams almost instantly. 

In total, we were investigating 40 different AI web builders, 12 of which we directly contacted due to a high volume of identified malicious websites. In total, from the beginning of 2025 to the end of August, we blocked approximately 140,000 different AI-generated websites during this time, which makes roughly 580 new malicious generated websites every day, on average. 

Since January 2025 alone, we protected nearly 190,000 our users, with the U.S., France, Brazil, Germany, and Japan among the most affected. This shows that misuse of AI web builders is a world-wide problem, and we can only expect the threat landscape to grow. 

Conclusion 

During our research, we investigated various AI web builders which are being misused by attackers for performing what we call VibeScams – a creation of scam or phishing pages without the need of any knowledge of coding or web creation. 

AI web builders provide support for individuals who are not technically invested in creating websites, where a simple prompt can suffice for building a new website from scratch. This results in a double-edged sword where it is very useful for both regular users as well as for attackers, which is rather typical with other various AI tools, too. 

Many of the malicious webpages follow the expected pattern of brand impersonation for phishing attempts and scams, which our research has seen daily for many years. The difference is that with the AI web builders, the attackers need to invest little to no effort or knowledge into creating them. As the AI web builder ecosystem evolves, it’s clear that new features and easier integrations will fuel even more sophisticated phishing campaigns in the future. 

How to protect yourself: 

• Always watch out for too good to be true offers or investment opportunities
• When dealing with a known brand, always verify whether this is the official website
• Look out for any deviations from the designs you are already familiar with
• Use unique passwords and MFA everywhere, preferably along with a reputable password manager
• Use a reputable AV solution to be proactively protected against phishing and scam attempts
• When in doubt, use products like Norton 360 with AI-powered scam protection to consult the security of links and web pages 

Indicators of Compromise (IoCs) 

A broader list of IoCs can be found on our GitHub. 

auth-binance.webflow[.]io 
binance-cdn-auth.webflow[.]io 
coinbase-wallet-verify.replit[.]app 
coinbase-wallet.squarespace[.]com 
auth-coinbase-login.typedream[.]app 
chrome-coinbase-extension.typedream[.]app 
wallet-coinbase.typedream[.]app 
microsoft-teams-login.elementor[.]cloud 
microsoft-outlookserver.odoo[.]com 
cz-microsoft.webflow[.]io 
updateaccount-microsoft.webflow[.]io 
app—trrezor-wallet.webflow[.]io 
app-atomiic-wallet.webflow[.]io 
coiinbase-com-wallet.typedream[.]app 
connect-metamesk-wallet.typedream[.]app