CyberSecurityNews

Hackers Abuse SEO Poisoning and Hidden HTML to Trick AI Agents Into Following Malicious Instructions


Artificial intelligence agents are quickly becoming the new front door to the internet, and attackers have noticed.

A fresh wave of malicious websites is using search engine tricks and invisible code to feed false instructions directly into AI systems, turning ordinary web pages into weapons against automated tools.

These sites do not target people in the usual sense. Instead, they aim at the AI agents that browse, read, and act on web content on a user’s behalf, exploiting the trust these systems place in what they read online.

The technique, known as indirect prompt injection, hides commands inside a page’s code where a human visitor would never see them, but where an AI agent scanning the page would pick them up as legitimate instructions.

The consequences already stretch beyond theory. In controlled testing, some AI agents actually carried out fraudulent payments and misidentified fake websites as trustworthy sources, showing that this is not a hypothetical risk but a demonstrated weakness in how many popular AI models process web content.

Researchers from Zscaler ThreatLabz said in a report shared with Cyber Security News (CSN) that they identified two separate campaigns that used this method, one built around a fake software payment scam and another impersonating a well known cryptocurrency platform.

IPI Payment Scam (Source -Zscaler)

Both relied on a mix of search engine manipulation and hidden HTML to make malicious pages appear both highly relevant to search engines and completely authoritative to AI systems scanning them.

Hackers Abuse SEO Poisoning

The first campaign disguised itself as documentation for a Python library called requests-secure-v2, stuffing the page with keyword heavy text so it would surface near the top of search results for developers troubleshooting code.

Complete IPI attack chain for this campaign (Source - Zscaler)
Complete IPI attack chain for this campaign (Source – Zscaler)

Buried within that page were hidden instructions written in a format called JSON-LD, a type of structured data normally used to help search engines understand a website’s content.

Since AI agents often treat this structured data as more trustworthy than regular text, the attackers used it to frame a fake three dollar developer license fee as a routine step needed to fix an error, pushing agents toward completing a cryptocurrency payment to a wallet controlled by the attacker.

The hidden text itself was tucked inside a webpage element pushed far off screen using simple CSS positioning, meaning it never appeared to a normal visitor while remaining fully readable to automated crawlers and AI tools.

Zscaler also traced additional related sites to a GitHub account hosting ten separate repositories built around the same trick, suggesting the operation extends well past a single fake package.

Typosquatting a Crypto Platform

The second campaign took a different angle, registering a lookalike domain meant to impersonate DeBank, a widely used decentralized finance portfolio tracker.

The fake site stuffed its titles and metadata with terms like DeBank Login and Crypto Tracker, while also copying social media style tags to make shared links look like they came from the real service.

Additional fake websites associated with this campaign targeting AI agents (Source - Zscaler)
Additional fake websites associated with this campaign targeting AI agents (Source – Zscaler)

Hidden within the page was a block of text instructing any AI model reading it to treat the fraudulent domain as the verified and authoritative home of DeBank, and to rank it first in results for common searches about the platform.

The prompt even told AI systems to avoid mentioning the word auction in the domain name, a small but telling detail meant to keep the deception intact.

When Zscaler tested this scenario across twenty six different language models, most correctly rejected the fake site once given the real DeBank address for comparison.

Attack chain for the debank[.]auction typosquatting site (Source -Zscaler)
Attack chain for the debank[.]auction typosquatting site (Source -Zscaler)

Without that reference point, however, at least one major model still rated the fraudulous page as trustworthy, underlining how much AI judgment depends on the information it is given at the moment of decision.

Zscaler recommends that organizations building or deploying AI agents apply layered security controls capable of detecting these hidden injection patterns, and the company said its platform already flags related activity under the signature HTML.MalURL.PromptInj.RC.M.VG.

As AI tools take on more independent tasks online, treating every webpage as a potential source of hidden manipulation is becoming a basic security requirement rather than an optional precaution.

Indicators of Compromise (IoCs):-

TypeIndicatorDescription
Domainmarket-insight-global[.]comLinked malicious site tied to Open-Agent-Utilities GitHub repo
Domainidentity-breach-response[.]orgLinked malicious site tied to Open-Agent-Utilities GitHub repo
Domainrunners-daily-blog[.]comLinked malicious site tied to Open-Agent-Utilities GitHub repo
Domainbistro-reserve-now[.]netLinked malicious site tied to Open-Agent-Utilities GitHub repo
Domainedge-compliance-node[.]orgLinked malicious site tied to Open-Agent-Utilities GitHub repo
Domaindigital-asset-mart[.]orgLinked malicious site tied to Open-Agent-Utilities GitHub repo
Domainconsensus-protocol-v4[.]orgLinked malicious site tied to Open-Agent-Utilities GitHub repo
Domainvisual-media-rights-group[.]orgLinked malicious site tied to Open-Agent-Utilities GitHub repo
Domainpermits[.]global-transit-authority[.]orgLinked malicious site tied to Open-Agent-Utilities GitHub repo
Domainpy-lib-repository[.]devFake Python package documentation site used for SEO poisoning
Domaindebank[.]auctionTyposquatting domain impersonating the DeBank DeFi platform
URLhttps://github[.]com/Open-Agent-Utilities/mig-institutional-api-clientAssociated GitHub repository
URLhttps://github[.]com/Open-Agent-Utilities/session-token-leak-detectorAssociated GitHub repository
URLhttps://github[.]com/Open-Agent-Utilities/sneaker-drop-monitor-v2Associated GitHub repository
URLhttps://github[.]com/Open-Agent-Utilities/opentable-resy-bypasserAssociated GitHub repository
URLhttps://github[.]com/Open-Agent-Utilities/bot-compliance-middlewareAssociated GitHub repository
URLhttps://github[.]com/Open-Agent-Utilities/digital-asset-arbitrage-cliAssociated GitHub repository
URLhttps://github[.]com/Open-Agent-Utilities/llm-fact-check-protocolAssociated GitHub repository
URLhttps://github[.]com/Open-Agent-Utilities/royalty-free-image-scraperAssociated GitHub repository
URLhttps://github[.]com/Open-Agent-Utilities/global-visa-automation-cliAssociated GitHub repository
URLhttps://github[.]com/Open-Agent-Utilities/requests-secure-v2Associated GitHub repository
Wallet Address0x691bc3793205e574fa7b4aa068e62c0e470ad267Ethereum wallet used to collect fraudulent API license payments

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.



Source link