Zscaler ThreatLabz analyzed two indirect prompt injection campaigns that used hidden instructions, SEO poisoning, CSS, HTML, and JSON-LD to manipulate AI agents visiting malicious websites. The campaigns impersonated a fake payment/API-key site and a typosquatting DeBank clone, and testing across 26 LLMs showed several models could be tricked into misclassification or unauthorized payment actions. #Zscaler #ThreatLabz #DeBank #Open-Agent-Utilities
Keypoints
- ThreatLabz identified two real-world indirect prompt injection (IPI) campaigns embedded in websites to manipulate AI agents.
- The first campaign used a fake API/payment flow disguised as developer documentation and leveraged SEO poisoning to attract AI-driven browsing.
- Hidden instructions were concealed with CSS, HTML, and JSON-LD to influence an agent into paying $3.00 or sending cryptocurrency to an attacker-controlled wallet.
- The second campaign used the typosquatting domain debank[.]auction to impersonate DeBank and mislead AI agents and users.
- The DeBank clone used keyword stuffing, metadata spoofing, and hidden prompt injection to present itself as the authoritative source.
- Testing across 26 LLMs showed 4 models failed on campaign 1 and 2 models misclassified the fake DeBank site under certain conditions.
- Zscaler noted the attacks can lead to context contamination and Retrieval-Augmented Generation (RAG) poisoning when malicious sites are treated as trusted sources.
MITRE Techniques
- [T1566 ] Phishing – The attackers used deceptive website content and hidden instructions to trick AI agents and users into following malicious payment or trust-related prompts (‘hidden instructions designed to influence an AI agent’s decision-making’).
- [T1056.001 ] Input Capture: Keylogging – Not mentioned.
- [T1056 ] Input Capture – Not mentioned.
- [T1027 ] Obfuscated Files or Information – The malicious instructions were concealed in CSS-hidden elements, off-screen divs, and structured data to evade human visibility while remaining machine-readable (‘using CSS so it is invisible to users, but still present in the DOM’).
- [T1204 ] User Execution – The attack relied on AI agents or users to follow the injected instructions and complete the payment or trust the fraudulent website (‘an AI agent attempting to complete a development task can be manipulated into sending funds’).
- [T1595.002 ] Active Scanning: Vulnerability Scanning – Not mentioned.
- [T1595 ] Active Scanning – Not mentioned.
- [T1036 ] Masquerading – The attacker impersonated legitimate services such as DeBank and API documentation to appear trustworthy (‘impersonating DeBank’, ‘describes the site as a SoftwareApplication’).
- [T1568.002 ] Dynamic Resolution: Domain Generation Algorithms – Not mentioned.
- [T1583.001 ] Acquire Infrastructure: Domains – The campaign used attacker-controlled and typosquatted domains such as debank[.]auction to host the fraudulent content (‘typosquatting domain impersonating DeBank’).
- [T1608.001 ] Stage Capabilities: Upload Malware – Not mentioned.
- [T1649 ] Steal Web Session Cookie – Not mentioned.
- [T1190 ] Exploit Public-Facing Application – The attacker abused website metadata and structured fields to exploit how AI agents interpret public web content (‘abusing JSON-LD’, ‘SEO poisoning’).
- [T1059 ] Command and Scripting Interpreter – JavaScript code was used to initiate a cryptocurrency transfer as part of the malicious flow (‘JavaScript code to initiate a transfer of approximately 0.0012 ETH’).
- [T1071.001 ] Application Layer Protocol: Web Protocols – The websites used HTTP-based web content and browser-rendered pages to deliver the injection (‘malicious websites that impersonate legitimate services’).
Indicators of Compromise
- [Domain ] typosquatting target and malicious host – debank[.]auction
- [GitHub repository ] linked infrastructure and related sites – https://github[.]com/Open-Agent-Utilities/requests-secure-v2, https://github[.]com/Open-Agent-Utilities/mig-institutional-api-client, and other Open-Agent-Utilities repositories
- [Cryptocurrency wallet address ] payment destination used in the fake API-key flow – 0x691bc3793205e574fa7b4aa068e62c0e470ad267
- [File/host name ] fake Python package referenced in the SEO poisoning campaign – requests-secure-v2
- [URL path/repository set ] additional associated lure sites and repos – market-insight-global[.]com, identity-breach-response[.]org, runners-daily-blog[.]com, and other listed lure domains