{"slug": "phishing-s-new-growth-team-meta-ads-and-lovable", "title": "Phishing's New Growth Team: Meta Ads and Lovable", "summary": "A phishing campaign impersonating Amazon uses AI-generated landing pages built with Lovable and paid Meta ads to steal credentials. The operation employs Meta Pixels to feed fake conversion signals to Facebook's ad algorithm, targeting victims via an adversary-in-the-middle kit that bypasses SMS and authenticator codes but not passkeys.", "body_md": "# Phishing's New Growth Team: Meta Ads and Lovable\n\nA phishing operation impersonating Amazon is being run like a growth-marketing campaign. The lure is an AI-generated landing page. The traffic is bought from Facebook. And the funnel is wired with Meta Pixels that feed Facebook's own algorithm a signal to go find more victims. It is credential theft with a conversion funnel bolted on.\n\nThe landing page sits on `tktc1.amfreeapplicationcenter.help`\n\nand was built with Lovable, the AI \"vibe-coding\" site generator. The operator never scrubbed it. A leftover `lovable.app`\n\npreview asset still sits in the source. The page itself is pure conversion optimization. It leads with \"AMAZON HAS HIDDEN REFUND & DISCOUNT POLICIES\" and manufactured urgency (\"Check now before it expires\"). It lists refund tiers: a $500 order gets $100 back, a $1,200 order gets $260, tagged \"MOST COMMON.\" It runs a scrolling wall of five-star testimonials with names, cities, and dollar amounts (Lisa B., Seattle, $471 refunded). It stamps itself \"Officially Authorized by Amazon\" and lines the footer with SSL Encrypted, Privacy Protected, and Refund Guarantee badges. Every element is a standard growth-marketing trick aimed at one conversion: a tap on \"Check My Eligibility.\"\n\nThat traffic is bought. Victims arrive from a paid Facebook ad, opened inside the Facebook in-app browser, and the landing page carries twelve Meta Pixels. When the victim taps through, the page fires an `AddToCart`\n\nconversion to all twelve before redirecting. This is the growth team's sharpest move. `AddToCart`\n\nis a standard optimization signal, and Meta's delivery algorithm uses it to find more people likely to take that action. By reporting a fake conversion on every click, the operator turns Facebook's ad engine into a victim-targeting system, paying by the click to reach people who behave like marks.\n\nThe redirect lands on `amzaonac.eu.cc`\n\n, a typosquat of \"amazon,\" serving a pixel-perfect clone of Amazon's sign-in. It is an adversary-in-the-middle kit, a Vue app behind Cloudflare. Before rendering it calls `/api/precheck`\n\nand `/api/ja3/echo`\n\nto fingerprint the visitor's device and TLS stack, plus `/api/blacklist/check`\n\nto screen out scanners. Anything that isn't a U.S. iPhone arriving from the ad gets nothing. The kit then runs a server-driven sign-in over a WebSocket, walking the visitor through email, password, and a one-time code and relaying each to the operator's backend, which replays them against Amazon's real login in real time. Email one-time codes are no obstacle. The kit requests the code, the visitor enters it, and the relay passes it straight through.\n\nThe whole funnel is built to be seen only by its targets. The landing page sets `noarchive`\n\nand blocks search, SEO, and AI crawlers by name: `GPTBot`\n\n, `CCBot`\n\n, `Bytespider`\n\n, `ClaudeBot`\n\n. A scanner from a data center gets a decoy or a block. As of this writing both the lure and the kit are still live and serving on mobile, even after Google Safe Browsing flagged the lure in Chrome.\n\nIt also gets past the defense most users think protects them. A relay forwards whatever the victim types, so a one-time code is relayable whether it arrives by SMS, by email, or from an authenticator app. All three are secrets the user reads and retypes, with the attacker standing in the middle to catch them. The one credential that breaks the relay is the one the user cannot retype. A passkey or hardware security key signs a challenge bound to the real `amazon.com`\n\n, will not even offer itself on the phishing origin, and hands the relay nothing it can forward. Everything short of that, this campaign gets through.\n\n**Indicators**\n\n- Lure:\n`tktc1.amfreeapplicationcenter.help`\n\n(Lovable-built; Safe-Browsing-flagged, still live) - Kit:\n`amzaonac.eu.cc`\n\n(\"amazon\" typosquat). Endpoints:`/api/precheck`\n\n,`/api/ja3/echo`\n\n,`/api/blacklist/check`\n\n,`/api/session/ws`\n\n- Distribution: Meta paid ads; 12 Meta Pixel IDs firing\n`AddToCart`\n\non click - Crawler block:\n`noindex/noarchive`\n\nnaming GPTBot, CCBot, Bytespider, anthropic-ai, ClaudeBot", "url": "https://wpnews.pro/news/phishing-s-new-growth-team-meta-ads-and-lovable", "canonical_source": "https://www.buchodi.com/phishings-new-growth-team-meta-ads-and-lovable/", "published_at": "2026-06-24 07:19:51+00:00", "updated_at": "2026-06-24 07:42:48.948699+00:00", "lang": "en", "topics": ["ai-tools", "ai-safety", "ai-ethics", "generative-ai"], "entities": ["Amazon", "Meta", "Facebook", "Lovable", "Cloudflare", "Google Safe Browsing", "GPTBot", "ClaudeBot"], "alternates": {"html": "https://wpnews.pro/news/phishing-s-new-growth-team-meta-ads-and-lovable", "markdown": "https://wpnews.pro/news/phishing-s-new-growth-team-meta-ads-and-lovable.md", "text": "https://wpnews.pro/news/phishing-s-new-growth-team-meta-ads-and-lovable.txt", "jsonld": "https://wpnews.pro/news/phishing-s-new-growth-team-meta-ads-and-lovable.jsonld"}}