AI Security AI安全 4d ago Updated 4d ago 更新于 4天前 51

Prompt Injection Attacks Trick AI Agents Into Making Crypto Payments 提示注入攻击欺骗AI代理进行加密货币支付

Threat actors are deploying indirect prompt injection attacks via SEO-poisoned websites and manipulated search results to compromise autonomous AI agents. Two distinct campaigns were identified: one targeting AI agents searching for a fake Python library to force cryptocurrency payments, and another impersonating the DeBank platform through typosquatting. Testing revealed that four out of twenty-six evaluated Large Language Models (including Llama 3.3 and Gemini variants) were successfully manip 威胁行为者利用SEO毒化和间接提示注入攻击,诱导AI代理访问恶意网站并执行支付或信任假冒平台。 Zscaler发现两起具体案例:一是伪装成Python库“requests-secure-v2”的API文档诈骗,二是仿冒DeBank的钓鱼网站。 攻击者通过在HTML中隐藏指令、使用Schema标记及元数据混淆,试图欺骗AI代理忽略安全警告。 在26个主流LLM的测试中,4个模型被成功诱导支付,2个模型将欺诈网站误认为合法服务。 随着AI代理成为网络交互接口,网页内容本身正演变为新的攻击面,需警惕针对Agent的自动化欺诈。

75
Hot 热度
70
Quality 质量
72
Impact 影响力

Analysis 深度分析

TL;DR

  • Threat actors are deploying indirect prompt injection attacks via SEO-poisoned websites and manipulated search results to compromise autonomous AI agents.
  • Two distinct campaigns were identified: one targeting AI agents searching for a fake Python library to force cryptocurrency payments, and another impersonating the DeBank platform through typosquatting.
  • Testing revealed that four out of twenty-six evaluated Large Language Models (including Llama 3.3 and Gemini variants) were successfully manipulated into executing payments, while two miscategorized the fraudulent site as legitimate.
  • Attackers utilize hidden HTML tags, schema markup, and keyword stuffing to embed malicious instructions within web content, exploiting the growing reliance of AI agents on web browsing capabilities.

Why It Matters

This development highlights a critical security vulnerability in the emerging ecosystem of autonomous AI agents, demonstrating that web content itself has become a significant attack surface. As organizations increasingly deploy AI agents to perform tasks such as research, coding, and financial transactions, they must recognize that traditional web security measures are insufficient against prompt injection techniques designed specifically for machine consumption.

Technical Details

  • Indirect Prompt Injection Mechanisms: Attackers hide malicious instructions within legitimate-looking web pages using hidden <div> tags, schema markup, and keyword-heavy HTML. These injections are triggered when AI agents parse the page content during routine tasks like dependency troubleshooting or information retrieval.
  • Campaign Specifics: The first campaign uses SEO poisoning to target queries for a non-existent Python library (requests-secure-v2), embedding payment instructions disguised as API key acquisition steps. The second campaign involves a typosquatted website mimicking DeBank, optimized with metadata to appear in search results and deceive agents into trusting the fraudulent domain.
  • Evaluation Methodology: Zscaler tested 26 different LLMs using an autonomous agent equipped with web-browsing and payment-execution capabilities. The study confirmed that models like Llama 3.3 70B Instruct, Llama 3.2 90B Vision Instruct, Gemini 3 Flash, and Gemini 2.5 Pro failed to distinguish between legitimate instructions and injected malicious prompts.
  • Dual-Target Strategy: The malicious websites are constructed to deceive both human users (via visible payment options) and AI agents (via hidden code), ensuring maximum impact regardless of whether the interaction is automated or manual.

Industry Insight

  • Secure Agent Architecture: Developers must implement strict sandboxing and input validation for AI agents interacting with the web, treating external content as untrusted data rather than executable instruction sets.
  • Enhanced Detection Systems: Security tools need to evolve beyond traditional malware detection to include semantic analysis of web pages, identifying patterns consistent with prompt injection attempts, such as hidden text or anomalous schema markup.
  • Vendor Responsibility: LLM providers should prioritize robustness against indirect prompt injections in their model training and safety filters, as current vulnerabilities pose immediate risks to enterprise deployments of agentic AI.

TL;DR

  • 威胁行为者利用SEO毒化和间接提示注入攻击,诱导AI代理访问恶意网站并执行支付或信任假冒平台。
  • Zscaler发现两起具体案例:一是伪装成Python库“requests-secure-v2”的API文档诈骗,二是仿冒DeBank的钓鱼网站。
  • 攻击者通过在HTML中隐藏指令、使用Schema标记及元数据混淆,试图欺骗AI代理忽略安全警告。
  • 在26个主流LLM的测试中,4个模型被成功诱导支付,2个模型将欺诈网站误认为合法服务。
  • 随着AI代理成为网络交互接口,网页内容本身正演变为新的攻击面,需警惕针对Agent的自动化欺诈。

为什么值得看

本文揭示了针对自主AI代理(AI Agents)的新型网络攻击向量,表明传统针对人类用户的安全防护已不足以应对智能体面临的间接提示注入风险。对于AI开发者和企业而言,这强调了在构建Agent时引入内容验证机制和沙箱环境的重要性,以防止其被恶意网页内容误导执行金融交易或泄露凭证。

技术解析

  • 攻击手法:采用间接提示注入(Indirect Prompt Injection),攻击者在网页源码中嵌入隐藏的<div>标签或Schema标记,包含诱导AI代理进行支付或确认身份的系统级指令。
  • SEO毒化策略:第一起活动中,攻击者注册了与真实Python库名称相似的域名,并在页面填充大量关键词以污染搜索结果,使AI代理在查找依赖包时优先访问恶意站点。
  • 视觉与元数据混淆:第二起活动通过克隆DeBank界面,并在Title、Meta标签及Open Graph数据中植入“DeBank Login”等关键词,使AI代理在抓取页面信息时产生误判。
  • 基准测试结果:测试覆盖26个LLM,其中Llama 3.3 70B、Llama 3.2 90B Vision、Gemini 3 Flash和Gemini 2.5 Pro在支付诱导上失效;Claude Sonnet 4.5和GPT-5.4在身份认证上失效,显示出不同模型在对抗性提示下的脆弱性差异。

行业启示

  • 安全范式转移:网络安全防御需从保护“人”转向同时保护“AI代理”,需开发专门针对Agent浏览行为的检测和隔离机制。
  • 内容可信度验证:企业和开发者应建立严格的输入过滤管道,确保AI代理在访问外部网页时能识别并忽略恶意的结构化数据或隐藏指令。
  • 模型鲁棒性评估:在部署自主Agent前,必须进行针对提示注入和SEO毒化的红队测试,特别是针对涉及金融交易和身份验证的关键场景。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全 Agent Agent