Hackers Use SEO Poisoning and Hidden HTML to Manipulate AI Agents
Attackers are using SEO poisoning and hidden web code to trick AI agents into treating malicious pages as trusted sources or following instructions planted inside those pages.
The technique is known as indirect prompt injection. Instead of sending commands directly to a chatbot, attackers hide instructions in webpages, metadata, structured data, or HTML that an AI agent may read while browsing the web for a user.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Zscaler ThreatLabz said it found two real-world campaigns using this approach. One posed as Python package documentation to push a fake payment, while the other used a typosquatting domain to impersonate DeBank, a decentralized finance portfolio tracker.
What Makes This Attack Different
Traditional phishing tries to fool a human user. These campaigns target AI agents that search, browse, summarize, evaluate websites, or take actions through connected tools.
That matters because an AI agent may read parts of a webpage that ordinary visitors never see. Hidden HTML, off-screen text, metadata, JSON-LD, and other machine-readable elements can influence how the agent understands a page.
OWASPโs LLM Prompt Injection Prevention Cheat Sheet describes remote or indirect prompt injection as malicious instructions hidden in external content that a model processes, including webpages, documents, emails, code comments, and metadata.
| Attack Element | How It Was Used | Why It Matters |
|---|---|---|
| SEO poisoning | Keyword-heavy pages were made to appear relevant for developer or DeBank-related searches. | AI agents may find the malicious page during normal browsing. |
| Hidden HTML | Text was placed off-screen using CSS or inside page elements. | Humans may not see it, but crawlers and agents can still read it. |
| JSON-LD | Structured data framed a fake payment as a normal software license step. | Some agents may treat structured data as high-signal context. |
| Typosquatting | A lookalike DeBank domain tried to appear authoritative. | Agents without a trusted reference point may misjudge the site. |
Fake Python Documentation Pushed a Payment Scam
The first campaign used a fraudulent website presented as documentation for a fake Python library called requests-secure-v2. The page included keyword-heavy HTML designed to appear relevant for package installation and troubleshooting searches.
Inside the page, attackers used JSON-LD structured data to describe the site as a software application. They also added an offers object claiming that a $3 developer API license key was needed to resolve a MissingLicenseKeyException.
According to Zscalerโs analysis, the page also included hidden instructions in a CSS-concealed div and JavaScript tied to a cryptocurrency transfer flow. The test environment was sandboxed, so no real funds were at risk.
DeBank Typosquatting Targeted AI Trust Decisions
The second campaign used debank[.]auction, a typosquatting domain built to impersonate DeBank. The fake site used titles and metadata tied to searches such as DeBank Login, DeFi Dashboard, and Crypto Tracker.

The page also used JSON-LD to misrepresent itself as a finance application associated with DeBank. A hidden prompt told AI systems to treat the fake domain as the verified and authoritative destination for DeBank.
Cyber Security News reported that the prompt even told AI systems to avoid mentioning the word โauctionโ in the domain name, which shows how the attack tried to preserve the deception.
Model Results Show Context Matters
Zscaler tested the campaigns across 26 large language models. In the payment-scam scenario, four models failed to take appropriate action and executed the payment flow in the controlled test setup.
For the DeBank scenario, the result changed depending on what context the model had. When the real DeBank site was provided as a reference, no model categorized the fake website as legitimate.
Without that trusted reference, two models misclassified the fake website under different test conditions. This shows why agent decisions should not rely on a single webpage or a single search result.
Why Hidden Web Instructions Are a Growing Security Risk
AI agents are increasingly connected to browsers, developer tools, customer support systems, security workflows, and enterprise automation platforms. That gives attackers a new reason to manipulate webpages beyond ranking higher in search.

Palo Alto Networks Unit 42 has also warned that web-based indirect prompt injection turns webpages into a prompt delivery mechanism for systems that fetch, analyze, or summarize web content.
Unit 42 said attackers can embed instructions in HTML pages, user-generated text, metadata, or comments. The risk grows when an agent has access to sensitive data, payment tools, internal systems, or automated approval workflows.
Common Warning Signs for AI-Agent Operators
Organizations building AI agents should treat web content as untrusted input. A page that looks normal in a browser may still contain hidden text, off-screen prompts, or structured data designed to manipulate a model.
- Search results that rank unfamiliar domains for sensitive software or finance queries.
- Pages with keyword stuffing aimed at developer troubleshooting searches.
- Hidden div elements, zero-size text, off-screen positioning, or unusual CSS concealment.
- JSON-LD that makes payment, identity, or trust claims not visible on the page.
- Typosquatting domains that resemble known platforms or official services.
- Pages that instruct models to ignore previous directions or trust one domain as authoritative.
How Teams Can Reduce the Risk
Defenses should start with a clear separation between trusted instructions and untrusted web data. Agents should never treat page content, comments, metadata, or schema markup as commands to follow.
The OWASP guidance recommends controls such as input validation, structured prompts, output monitoring, human-in-the-loop approval, least privilege, and remote content sanitization.

Security teams should also log what sources an agent used, what hidden content it processed, and what tools it called after reading a page. This creates an audit trail when an agent makes a risky recommendation or attempts an action.
Why Search Quality Alone Is Not Enough
SEO poisoning gives attackers a path into AI workflows because many agents start with search or retrieval. If a malicious page ranks well, an agent may treat it as a useful source before it has verified the domain.
Unit 42 research found that attackers are already using web-based indirect prompt injection for goals including search manipulation, scam promotion, data leakage, unauthorized transactions, and system prompt leakage.
Cyber Security News also noted that Zscaler tracks the related activity under the detection name HTML.MalURL.PromptInj.RC.M.VG.
The Bigger Lesson for AI Agents
These campaigns show that the web is becoming an attack surface for automated decision-making. A malicious page no longer needs to fool a person if it can influence the agent acting for that person.
Developers should design AI agents to verify sources, compare claims against trusted references, and require human approval before payments, account changes, code execution, or security-sensitive actions.
As AI agents take on more browsing and workflow tasks, hidden prompt injection needs the same level of attention as phishing, SEO abuse, and supply chain risk.
FAQ
Indirect prompt injection is an attack where malicious instructions are hidden inside external content, such as webpages, documents, emails, metadata, or code comments. An AI agent may process that content and treat the hidden text as instructions.
Attackers created keyword-heavy pages designed to rank for developer and cryptocurrency-related searches. If an AI agent found those pages while browsing, hidden instructions inside the page could influence its decisions.
The fake Python package campaign used a site presented as documentation for requests-secure-v2. It embedded hidden instructions and structured data that framed a small developer license payment as a required troubleshooting step.
The DeBank campaign used debank[.]auction, a lookalike domain that tried to impersonate the real DeBank service. Hidden instructions told AI systems to treat the fake site as the authoritative DeBank destination.
Organizations should treat web content as untrusted data, separate instructions from retrieved content, sanitize remote pages, restrict tool permissions, log agent actions, and require human approval for payments or high-risk actions.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages