Home Technology, networking, cybersecurity, AI Researchers Spot Uptick in Use of Vercel for Phishing Campaigns

Technology, networking, cybersecurity, AI

Researchers Spot Uptick in Use of Vercel for Phishing Campaigns

Sara Ahmad May 10, 2026 2 min read

Security researchers have observed an increase in phishing campaigns hosted on Vercel, the cloud platform popular for web deployments. Attackers use the service’s ease of setup and free tier to rapidly deploy fake login pages targeting major brands.

Key Details

Multiple cybersecurity firms report a rise in phishing sites on Vercel’s infrastructure over recent months. These sites mimic login portals for banks, email providers, and e-commerce platforms. The platform’s serverless functions and edge network allow quick takedown evasion, as attackers spin up new domains after removals.

Vercel provides straightforward deployment via Git integration and custom domains. Phishing operators exploit this by forking public templates or cloning legitimate sites, then pointing domains to the hosted fakes. Reports note over a dozen campaigns active in the past quarter, affecting users in North America and Europe.

Common tactics include typosquatted domains and social engineering lures distributed via email and SMS. Victims enter credentials on these pages, which relay data to attacker-controlled servers before redirecting to real sites.

Background and Impact

Vercel, founded in 2015, hosts millions of sites for developers worldwide. Its popularity among legitimate users makes it an attractive vector for abuse. This trend echoes past incidents with platforms like Netlify and GitHub Pages, where free hosting fueled phishing.

Phishing remains a top threat, accounting for a significant share of data breaches. The shift to developer platforms complicates detection, as malicious sites blend with genuine deployments. Organizations like SEO scammers have long exploited online tools for fraud, highlighting broader risks in cloud services.

Expert Statements

A researcher from a leading threat intelligence firm stated that Vercel’s speed enables “phishing-as-a-service” operations. “Attackers deploy in minutes, far outpacing manual takedowns,” the expert noted. Vercel representatives confirmed monitoring efforts and swift response to abuse reports.

Industry watchers point to the platform’s free tier as a key enabler. One analyst remarked, “Low barriers draw script kiddies and pros alike.” Similar patterns appear in user engagement tactics misused by bad actors online.

Responses and Prevention

Vercel has bolstered its abuse detection with machine learning scans and partnerships with domain registrars. Users report suspicious sites via a dedicated portal, leading to deployments offline within hours. The company urges developers to enable two-factor authentication and monitor logs.

Security teams recommend endpoint protections and user training. Browser vendors are enhancing phishing filters for cloud-hosted threats. For businesses, vigilance against streamlined tools repurposed for harm proves essential.

Researchers continue tracking this development, with expectations of platform-wide mitigations. Users should verify site authenticity via official channels amid rising threats.

Frequently Asked Questions

How do phishing campaigns use Vercel for hosting malicious sites?

Phishing campaigns exploit Vercel's free hosting by deploying deceptive sites via GitHub repositories linked to Vercel accounts. Attackers clone legitimate login pages, customize them with phishing forms, and deploy instantly using Vercel's edge network for global speed. Security teams spot these by monitoring Vercel subdomains like project-name.vercel.app for suspicious redirects to credential-harvesting endpoints.

What is Vercel phishing and why is it increasing recently?

Vercel phishing involves cybercriminals leveraging Vercel's serverless platform to host realistic phishing pages that mimic trusted sites. Researchers have spotted an uptick in use of Vercel for phishing campaigns due to its ease of use, free tier, and automatic HTTPS, making attacks harder to detect. This trend surged in 2023 as attackers shifted from traditional hosting amid better cloud security scrutiny.

Why am I seeing suspicious Vercel links in phishing emails lately?

Suspicious Vercel links appear in phishing emails because attackers favor Vercel's platform for quick, scalable hosting of fake login pages that evade basic filters. Beginners often click them mistaking vercel.app domains for legitimate sites due to their clean HTTPS setup. The uptick in use of Vercel for phishing campaigns stems from its low barrier to entry, confusing users who don't verify URLs.

What are best practices to detect Vercel phishing sites quickly?

To detect Vercel phishing sites, inspect URLs for random project names on vercel.app domains and hover to check redirects. Use tools like VirusTotal or URLScan.io to analyze links before clicking, and train teams on spotting Vercel's edge-cached phishing pages. Blocklist known malicious Vercel deployments via browser extensions like uBlock Origin for efficient protection.

How does Vercel phishing compare to AWS or Netlify attacks?

Vercel phishing excels in speed and anonymity compared to AWS, which requires more setup and billing trails, making Vercel ideal for hit-and-run campaigns. Netlify offers similar ease but Vercel's Git-based deploys enable faster iteration in phishing attacks. Advanced users prefer Vercel for its global edge network, outpacing alternatives in delivering phishing pages worldwide.

Sara Ahmad

NetworkUstad Contributor

📬

Enjoyed this article?

Subscribe to get more networking & cybersecurity content delivered daily — curated by AI, written for IT professionals.