Cybercriminals are now using sophisticated phishing attacks to compromise AI agents in a similar fashion to the way they compromise human targets. There is growing evidence of seemingly innocent websites being weaponized in order to gain control of any AI agents who may visit them. Like spiders spinning a web, the threat actors are designing websites to attract AI agents before taking control of them.
Cybersecurity company Zscaler's research arm, ThreatLabz, has identified two such cases using indirect prompt injection (IPI) to hide instructions in websites, attempting to trick AI agents into following the attackers' instructions.
Payment scam targets AI agents and developers alike
One of the fraudulent websites ThreatLabz analyzed was a payment scam using legitimate-looking documentation as a cover. The weaponized website not only attempts to target AI agents, but also human developers.
"The website includes hidden instructions designed to influence an AI agent's decision-making by framing the payment as a routine step to acquire an application programming interface (API) key. As a result, an AI agent attempting to complete a development task can be manipulated into sending funds to an attacker-controlled account," reports ThreatLabz.
The attack surface is growing
ThreatLabz also discovered a fake domain impersonating DeBank, a widely used decentralized finance portfolio tracker. Hidden malware instructs any visiting AI agents to ignore previous directions and instead follow the malicious directives embedded in the website.
"As AI agents become a more common interface to the web, the content itself is going to become a larger attack surface, highlighting that AI is a double-edged sword that can streamline workflows while also introducing new avenues for abuse," warns ThreatLabz.
The rapid adoption of agentic AI across all sectors is increasingly exposing companies to risk. AI agents that are free to roam the internet to gather information and execute transactions make tempting targets for threat actors. Agents that have been compromised can also present a greater threat than a human target who falls prey to a phishing attack.
An AI agent that has been sufficiently compromised can be turned "rogue" and be instructed to continue to do the criminals' bidding. This can involve a series of unauthorized payments to the threat actors' crypto accounts or revealing sensitive corporate information. Human targets would, however, be reluctant to continue to co-operate with cybercriminals once their suspicions were aroused.
