{“lastseen”:”2026-02-12T08:06:59″,”description”:”AI tool Vercel was abused by cybercriminals to create a Malwarebytes lookalike website.\\n\\nCybercriminals no longer need design or coding skills to create a convincing fake brand site. All they need is a domain name and an AI website builder. In minutes, they can clone a site’s look and feel, plug in payment or credential-stealing flows, and start luring victims through search, social media, and spam.\\n\\nOne side effect of being an established and trusted brand is that you attract copycats who want a slice of that trust without doing any of the work. Cybercriminals have always known it is much easier to trick users by impersonating something they already recognize than by inventing something new\u2014and developments in AI have made it trivial for scammers to create convincing fake sites.\u200b\u200b \\n\\nRegistering a plausible-looking domain is cheap and fast, especially through registrars and resellers that do little or no upfront vetting. Once attackers have a name that looks close enough to the real thing, they can use AI-powered tools to copy layouts, colors, and branding elements, and generate product pages, sign-up flows, and FAQs that look \u201con brand.\u201d \\n\\n## A flood of fake \u201cofficial\u201d sites\\n\\nData from recent holiday seasons shows just how routine large-scale domain abuse has become. \\n\\nOver a three\u2011month period leading into the 2025 shopping season, researchers observed more than 18,000 holiday\u2011themed domains with lures like \u201cChristmas,\u201d \u201cBlack Friday,\u201d and \u201cFlash Sale,\u201d with at least 750 confirmed as malicious and many more still under investigation. In the same window, about 19,000 additional domains were registered explicitly to impersonate major retail brands, nearly 3,000 of which were already hosting phishing pages or fraudulent storefronts.\\n\\nThese sites are used for everything from credential harvesting and payment fraud to malware delivery disguised as \u201corder trackers\u201d or \u201csecurity updates.\u201d \\n\\nAttackers then boost visibility using SEO poisoning, ad abuse, and comment spam, nudging their lookalike sites into search results and promoting them in social feeds right next to the legitimate ones. From a user\u2019s perspective, especially on mobile without the hover function, that fake site can be only a typo or a tap away.\u200b\\n\\n## When the impersonation hits home\\n\\nA recent example shows how low the barrier to entry has become. \\n\\nWe were alerted to a site at installmalwarebytes[.]org that masqueraded from logo to layout as a genuine Malwarebytes site. \\n\\nClose inspection revealed that the HTML carried a meta tag value pointing to v0 by Vercel, an AI-assisted app and website builder.\\n\\n\\n\\nThe tool lets users paste an existing URL into a prompt to automatically recreate its layout, styling, and structure\u2014producing a near\u2011perfect clone of a site in very little time.\\n\\nThe history of the imposter domain tells an incremental evolution into abuse. \\n\\nRegistered in 2019, the site did not initially contain any Malwarebytes branding. In 2022, the operator began layering in Malwarebytes branding while publishing Indonesian\u2011language security content. This likely helped with search reputation while normalizing the brand look to visitors. Later, the site went blank, with no public archive records for 2025, only to resurface as a full-on clone backed by AI\u2011assisted tooling.\u200b\\n\\nTraffic did not arrive by accident. Links to the site appeared in comment spam and injected links on unrelated websites, giving users the impression of organic references and driving them toward the fake download pages.\\n\\nPayment flows were equally opaque. The fake site used PayPal for payments, but the integration hid the merchant\u2019s name and logo from the user-facing confirmation screens, leaving only the buyer\u2019s own details visible. That allowed the criminals to accept money while revealing as little about themselves as possible.\\n\\n\\n\\nBehind the scenes, historical registration data pointed to an origin in India and to a hosting IP (209.99.40[.]222) associated with domain parking and other dubious uses rather than normal production hosting. \\n\\nCombined with the AI\u2011powered cloning and the evasive payment configuration, it painted a picture of low\u2011effort, high\u2011confidence fraud. \\n\\n## AI website builders as force multipliers\\n\\nThe installmalwarebytes[.]org case is not an isolated misuse of AI\u2011assisted builders. It fits into a broader pattern of attackers using generative tools to create and host phishing sites at scale. \\n\\nThreat intelligence teams have documented abuse of Vercel\u2019s v0 platform to generate fully functional phishing pages that impersonate sign\u2011in portals for a variety of brands, including identity providers and cloud services, all from simple text prompts. Once the AI produces a clone, criminals can tweak a few links to point to their own credential\u2011stealing backends and go live in minutes.\\n\\nResearch into AI\u2019s role in modern phishing shows that attackers are leaning heavily on website generators, writing assistants, and chatbots to streamline the entire kill chain\u2014from crafting persuasive copy in multiple languages to spinning up responsive pages that render cleanly across devices. One analysis of AI\u2011assisted phishing campaigns found that roughly 40% of observed abuse involved website generation services, 30% involved AI writing tools, and about 11% leveraged chatbots, often in combination. This stack lets even low\u2011skilled actors produce professional-looking scams that used to require specialized skills or paid kits.\u200b\\n\\n## Growth first, guardrails later\\n\\nThe core problem is not that AI can build websites. It’s that the incentives around AI platform development are skewed. Vendors are under intense pressure to ship new capabilities, grow user bases, and capture market share, and that pressure often runs ahead of serious investment in abuse prevention.\\n\\nAs Malwarebytes General Manager Mark Beare put it:\\n\\n\\u003e \\”AI-powered website builders like Lovable and Vercel have dramatically lowered the barrier for launching polished sites in minutes. While these platforms include baseline security controls, their core focus is speed, ease of use, and growth\u2014not preventing brand impersonation at scale. That imbalance creates an opportunity for bad actors to move faster than defenses, spinning up convincing fake brands before victims or companies can react.\\”\\n\\nSite generators allow cloned branding of well\u2011known companies with no verification, publishing flows skip identity checks, and moderation either fails quietly or only reacts after an abuse report. Some builders let anyone spin up and publish a site without even confirming an email address, making it easy to burn through accounts as soon as one is flagged or taken down.\\n\\nTo be fair, there are signs that some providers are starting to respond by blocking specific phishing campaigns after disclosure or by adding limited brand-protection controls. But these are often reactive fixes applied after the damage is done. \\n\\nMeanwhile, attackers can move to open\u2011source clones or lightly modified forks of the same tools hosted elsewhere, where there may be no meaningful content moderation at all. \\n\\nIn practice, the net effect is that AI companies benefit from the growth and experimentation that comes with permissive tooling, while the consequences is left to victims and defenders.\\n\\nWe have blocked the domain in our web protection module and requested a domain and vendor takedown.\\n\\n## How to stay safe\\n\\nEnd users cannot fix misaligned AI incentives, but they can make life harder for brand impersonators. Even when a cloned website looks convincing, there are red flags to watch for:\\n\\n * Before completing any payment, always review the \u201cPay to\u201d details or transaction summary. If no merchant is named, back out and treat the site as suspicious.\\n * Use an up-to-date, real-time anti-malware solution with a web protection module.\\n * Do not follow links posted in comments, on social media, or unsolicited emails to buy a product. Always follow a verified and trusted method to reach the vendor.\\n\\n\\n\\nIf you come across a fake Malwarebytes website, please let us know. \\n\\n\\n* * *\\n\\n**We don ‘t just report on threats\u2014we help safeguard your entire digital identity**\\n\\nCybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.”,”published”:”2026-02-12T08:03:00″,”modified”:”2026-02-12T08:03:00″,”type”:”malwarebytes”,”title”:”Criminals are using AI website builders to clone major brands”,”source”:””,”references”:””,”id”:”MALWAREBYTES:BD9382592A0C02FFBEBC4F99CEF13C8F”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2026\/02\/criminals-are-using-ai-website-builders-to-clone-major-brands”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-12T08:06:59″,”description”:”AI tool Vercel was abused by cybercriminals to create a Malwarebytes lookalike website.\\n\\nCybercriminals no longer need design or coding skills to create a convincing fake…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-40552","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n