AI Poisoning Attack Abuses SEO and Hidden HTML to Trick AI Agents
Key Takeaways Threat actors are actively using SEO poisoning and hidden HTML to manipulate AI agents. This “indirect prompt injection” technique exploits how AI models process web...
Key Takeaways
- Threat actors are actively using SEO poisoning and hidden HTML to manipulate AI agents.
- This “indirect prompt injection” technique exploits how AI models process web content, making them execute malicious instructions.
- Two distinct campaigns were identified: one involving a fake software payment scam and another impersonating a cryptocurrency platform.
- AI agents, in testing, performed fraudulent payments and misidentified fake sites as legitimate.
- Organizations deploying AI agents must implement robust security controls to detect hidden injection patterns.
As artificial intelligence agents increasingly serve as the primary gateway to online information and services, cyber attackers are rapidly adapting their tactics to target these automated systems. A new and concerning trend involves the use of sophisticated SEO manipulation and concealed code within websites to deliver malicious directives directly to AI models. This transforms seemingly innocuous web pages into potent tools for subverting AI-driven actions.
Table Of Content
Unlike traditional cyberattacks that focus on human users, these campaigns specifically target AI agents that browse, interpret, and act upon web content on behalf of a user. The attackers exploit the inherent trust AI systems place in the information they gather from the internet, leading to potentially severe consequences.
This method, known as indirect prompt injection, involves embedding hidden commands within a webpage’s underlying code. These instructions are designed to be imperceptible to a human visitor but are readily detected and processed by an AI agent scanning the page, which then interprets them as legitimate operational directives. Controlled experiments have already demonstrated the practical dangers of this technique. Some AI agents were observed initiating fraudulent payments and erroneously validating counterfeit websites as trustworthy sources, confirming that this is not merely a theoretical vulnerability but a proven flaw in how many prevalent AI models handle web-based data.
Researchers from Zscaler ThreatLabz said in a report shared with Cyber Security News (CSN) that their investigations uncovered two distinct campaigns employing this strategy. One scheme revolved around a deceptive software payment operation, while the other mimicked a prominent cryptocurrency platform. Both attacks leveraged a combination of search engine optimization (SEO) poisoning and hidden HTML elements to ensure their malicious pages ranked highly in search results and were perceived as authoritative by AI systems during content scraping.
Hackers Abuse SEO Poisoning
The first identified campaign masqueraded as official documentation for a Python library named “requests-secure-v2.” The attackers heavily infused the webpage with keywords relevant to developers seeking code troubleshooting solutions, aiming to push the malicious page to the top of search engine results.
Within this seemingly legitimate documentation, hidden instructions were embedded using JSON-LD, a structured data format typically used by search engines to better understand a website’s content. Recognizing that AI agents often assign higher trustworthiness to structured data than to plain text, the attackers exploited this to present a fake $3 developer license fee as a necessary step to resolve a coding error. This manipulation effectively directed AI agents toward initiating a cryptocurrency payment to an Ethereum wallet, 0x691bc3793205e574fa7b4aa068e62c0e470ad267, under the control of the threat actors.
The deceptive text itself was ingeniously concealed within a webpage element positioned off-screen using basic CSS, rendering it invisible to human users while remaining fully accessible to automated crawlers and AI tools. Zscaler’s analysis further revealed that additional related sites were linked to a GitHub account hosting ten separate repositories, all utilizing the same deceptive technique. This suggests a broader operation extending beyond a single fake software package, with domains like market-insight-global[.]com, identity-breach-response[.]org, and py-lib-repository[.]dev among the indicators of compromise.
Typosquatting a Crypto Platform
The second campaign adopted a different approach, registering a typosquatting domain, debank[.]auction, designed to imitate DeBank, a popular decentralized finance (DeFi) portfolio tracker. The fraudulent site strategically populated its titles and metadata with terms such as “DeBank Login” and “Crypto Tracker.” It also replicated social media-style tags to make shared links appear as if they originated from the authentic DeBank service.
A crucial element of this attack was a hidden block of text within the page that explicitly instructed any AI model reading it to consider the fraudulent domain as the verified and authoritative source for DeBank. The prompt even directed AI systems to prioritize this fake site in search results for common queries related to the platform. A subtle but revealing detail in the prompt was the instruction for AI systems to omit the word “auction” when referencing the domain name, a clear attempt to maintain the illusion of legitimacy.
Zscaler conducted tests across twenty-six different language models to evaluate the effectiveness of this deception. When provided with the genuine DeBank address for comparison, most models successfully identified and rejected the fake site. However, in the absence of this crucial reference point, at least one major AI model still deemed the fraudulent page trustworthy. This outcome underscores the significant dependency of AI judgment on the immediate information it processes at the point of decision.
What You Should Do
- Implement Layered Security: Organizations developing or deploying AI agents must integrate layered security controls capable of detecting and mitigating these indirect prompt injection patterns.
- Content Validation: Enhance AI agent capabilities to rigorously validate the authenticity and authority of web content, especially when encountering structured data or hidden HTML elements.
- Cross-Referencing: Program AI agents to cross-reference information with multiple trusted sources before executing any instructions or making judgments based on web content.
- Anomaly Detection: Deploy AI-specific anomaly detection systems to identify unusual behaviors or outputs from AI agents that might indicate manipulation.
- Stay Updated: Monitor threat intelligence feeds for new prompt injection techniques and ensure AI models and security systems are updated accordingly. Zscaler’s platform, for instance, already flags related activity under the signature HTML.MalURL.PromptInj.RC.M.VG.
As AI tools become increasingly autonomous in their online operations, the imperative to treat every webpage as a potential source of hidden manipulation transitions from a cautious recommendation to a fundamental security requirement.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.