Indirect Prompt Injection in Web Content Targets AI Agents

Indirect Prompt Injection in Web Content Targets AI Agents
Zscaler ThreatLabz analyzed two indirect prompt injection campaigns that used hidden instructions, SEO poisoning, CSS, HTML, and JSON-LD to manipulate AI agents visiting malicious websites. The campaigns impersonated a fake payment/API-key site and a typosquatting DeBank clone, and testing across 26 LLMs showed several models could be tricked into misclassification or unauthorized payment actions. #Zscaler #ThreatLabz #DeBank #Open-Agent-Utilities

Keypoints

  • ThreatLabz identified two real-world indirect prompt injection (IPI) campaigns embedded in websites to manipulate AI agents.
  • The first campaign used a fake API/payment flow disguised as developer documentation and leveraged SEO poisoning to attract AI-driven browsing.
  • Hidden instructions were concealed with CSS, HTML, and JSON-LD to influence an agent into paying $3.00 or sending cryptocurrency to an attacker-controlled wallet.
  • The second campaign used the typosquatting domain debank[.]auction to impersonate DeBank and mislead AI agents and users.
  • The DeBank clone used keyword stuffing, metadata spoofing, and hidden prompt injection to present itself as the authoritative source.
  • Testing across 26 LLMs showed 4 models failed on campaign 1 and 2 models misclassified the fake DeBank site under certain conditions.
  • Zscaler noted the attacks can lead to context contamination and Retrieval-Augmented Generation (RAG) poisoning when malicious sites are treated as trusted sources.

MITRE Techniques

  • [T1566 ] Phishing – The attackers used deceptive website content and hidden instructions to trick AI agents and users into following malicious payment or trust-related prompts (‘hidden instructions designed to influence an AI agent’s decision-making’).
  • [T1056.001 ] Input Capture: Keylogging – Not mentioned.
  • [T1056 ] Input Capture – Not mentioned.
  • [T1027 ] Obfuscated Files or Information – The malicious instructions were concealed in CSS-hidden elements, off-screen divs, and structured data to evade human visibility while remaining machine-readable (‘using CSS so it is invisible to users, but still present in the DOM’).
  • [T1204 ] User Execution – The attack relied on AI agents or users to follow the injected instructions and complete the payment or trust the fraudulent website (‘an AI agent attempting to complete a development task can be manipulated into sending funds’).
  • [T1595.002 ] Active Scanning: Vulnerability Scanning – Not mentioned.
  • [T1595 ] Active Scanning – Not mentioned.
  • [T1036 ] Masquerading – The attacker impersonated legitimate services such as DeBank and API documentation to appear trustworthy (‘impersonating DeBank’, ‘describes the site as a SoftwareApplication’).
  • [T1568.002 ] Dynamic Resolution: Domain Generation Algorithms – Not mentioned.
  • [T1583.001 ] Acquire Infrastructure: Domains – The campaign used attacker-controlled and typosquatted domains such as debank[.]auction to host the fraudulent content (‘typosquatting domain impersonating DeBank’).
  • [T1608.001 ] Stage Capabilities: Upload Malware – Not mentioned.
  • [T1649 ] Steal Web Session Cookie – Not mentioned.
  • [T1190 ] Exploit Public-Facing Application – The attacker abused website metadata and structured fields to exploit how AI agents interpret public web content (‘abusing JSON-LD’, ‘SEO poisoning’).
  • [T1059 ] Command and Scripting Interpreter – JavaScript code was used to initiate a cryptocurrency transfer as part of the malicious flow (‘JavaScript code to initiate a transfer of approximately 0.0012 ETH’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – The websites used HTTP-based web content and browser-rendered pages to deliver the injection (‘malicious websites that impersonate legitimate services’).

Indicators of Compromise

  • [Domain ] typosquatting target and malicious host – debank[.]auction
  • [GitHub repository ] linked infrastructure and related sites – https://github[.]com/Open-Agent-Utilities/requests-secure-v2, https://github[.]com/Open-Agent-Utilities/mig-institutional-api-client, and other Open-Agent-Utilities repositories
  • [Cryptocurrency wallet address ] payment destination used in the fake API-key flow – 0x691bc3793205e574fa7b4aa068e62c0e470ad267
  • [File/host name ] fake Python package referenced in the SEO poisoning campaign – requests-secure-v2
  • [URL path/repository set ] additional associated lure sites and repos – market-insight-global[.]com, identity-breach-response[.]org, runners-daily-blog[.]com, and other listed lure domains


Read more: https://www.zscaler.com/blogs/security-research/indirect-prompt-injection-web-content-targets-ai-agents