v0 is an impressive tool from Vercel, the team behind Next.js. Building websites with AI couldn’t be easier, something cyber attackers are only too happy to exploit.
This is evident from a recently published study by Okta’s Threat Intelligence team. As an identity security player, Okta does not take this type of attack lightly: it involves sites with fake login screens, potentially undermining the everyday trust users have in single sign-on tools such as Okta’s.
Replicas on demand
According to Okta Threat Intelligence, attackers have managed to simulate legitimate sign-ons from well-known companies. Normally, it is a daunting task or at least requires a great deal of expertise to build a credible fake version of a login screen. However, thanks to v0, it has become so easy that replicas of these sites can be admired on demand and almost immediately.
Okta has observed this phenomenon several times, including once at an Okta customer. Microsoft 365 is among the brands imitated, but crypto sites also appear to be an attractive mask for malicious actors. Further investigation reveals that everything from fake company logos to other backend resources were running within Vercel’s infrastructure. According to Okta, some malicious parties choose to host all their resources at a legitimate location, which would appear more legitimate than if they were scattered across multiple locations. In addition, the researchers argue, this allows them to avoid detection based on the use of known malicious IT environments.
On top of that, the stolen information consists of legitimate credentials. This allows attackers to enter undetected during their infiltration and pose as ordinary users. This is usually followed by the installation of ransomware, with all the consequences that entails. A successful phishing campaign can therefore be extremely lucrative. Cyber attackers do not even have to carry out the infiltration attempt themselves; they can simply sell the legitimate login details on the dark web.
The problem goes further
In addition to v0, other apps and sites are also a launch pad for phishers. Think of GitHub repositories that offer direct copies of v0.dev or homemade alternatives. All of this is once again powered by AI to enable even the least technical cyber attackers to build their fake pages.
In any case, Okta customers can contact the company’s Security Trust Center for advice. Knowledge about active campaigns such as this is an important first step toward neutralizing them. However, it seems that the genie is out of the bottle now that open-source tools and AI models provide sufficient skills for building credible sites. Even if all legitimate parties do their best to keep malicious actors off their APIs and websites, there is still a significant chance of phishing. That is why many organizations strive to be phishing-resistant, for example by building in MFA, granting accounts as few privileges as possible, and never trusting new endpoints without verification.
Read also: Okta extends identity security to non-human users