Hackers Use SEO Poisoning and Hidden HTML to Manipulate AI Agents


Attackers are using SEO poisoning and hidden web code to trick AI agents into treating malicious pages as trusted sources or following instructions planted inside those pages.

The technique is known as indirect prompt injection. Instead of sending commands directly to a chatbot, attackers hide instructions in webpages, metadata, structured data, or HTML that an AI agent may read while browsing the web for a user.

Zscaler ThreatLabz said it found two real-world campaigns using this approach. One posed as Python package documentation to push a fake payment, while the other used a typosquatting domain to impersonate DeBank, a decentralized finance portfolio tracker.

What Makes This Attack Different

Traditional phishing tries to fool a human user. These campaigns target AI agents that search, browse, summarize, evaluate websites, or take actions through connected tools.

That matters because an AI agent may read parts of a webpage that ordinary visitors never see. Hidden HTML, off-screen text, metadata, JSON-LD, and other machine-readable elements can influence how the agent understands a page.

OWASPโ€™s LLM Prompt Injection Prevention Cheat Sheet describes remote or indirect prompt injection as malicious instructions hidden in external content that a model processes, including webpages, documents, emails, code comments, and metadata.

Attack ElementHow It Was UsedWhy It Matters
SEO poisoningKeyword-heavy pages were made to appear relevant for developer or DeBank-related searches.AI agents may find the malicious page during normal browsing.
Hidden HTMLText was placed off-screen using CSS or inside page elements.Humans may not see it, but crawlers and agents can still read it.
JSON-LDStructured data framed a fake payment as a normal software license step.Some agents may treat structured data as high-signal context.
TyposquattingA lookalike DeBank domain tried to appear authoritative.Agents without a trusted reference point may misjudge the site.

Fake Python Documentation Pushed a Payment Scam

The first campaign used a fraudulent website presented as documentation for a fake Python library called requests-secure-v2. The page included keyword-heavy HTML designed to appear relevant for package installation and troubleshooting searches.

Inside the page, attackers used JSON-LD structured data to describe the site as a software application. They also added an offers object claiming that a $3 developer API license key was needed to resolve a MissingLicenseKeyException.

According to Zscalerโ€™s analysis, the page also included hidden instructions in a CSS-concealed div and JavaScript tied to a cryptocurrency transfer flow. The test environment was sandboxed, so no real funds were at risk.

DeBank Typosquatting Targeted AI Trust Decisions

The second campaign used debank[.]auction, a typosquatting domain built to impersonate DeBank. The fake site used titles and metadata tied to searches such as DeBank Login, DeFi Dashboard, and Crypto Tracker.

Complete IPI attack chain for this campaign (Source – Zscaler)

The page also used JSON-LD to misrepresent itself as a finance application associated with DeBank. A hidden prompt told AI systems to treat the fake domain as the verified and authoritative destination for DeBank.

Cyber Security News reported that the prompt even told AI systems to avoid mentioning the word โ€œauctionโ€ in the domain name, which shows how the attack tried to preserve the deception.

Model Results Show Context Matters

Zscaler tested the campaigns across 26 large language models. In the payment-scam scenario, four models failed to take appropriate action and executed the payment flow in the controlled test setup.

For the DeBank scenario, the result changed depending on what context the model had. When the real DeBank site was provided as a reference, no model categorized the fake website as legitimate.

Without that trusted reference, two models misclassified the fake website under different test conditions. This shows why agent decisions should not rely on a single webpage or a single search result.

Why Hidden Web Instructions Are a Growing Security Risk

AI agents are increasingly connected to browsers, developer tools, customer support systems, security workflows, and enterprise automation platforms. That gives attackers a new reason to manipulate webpages beyond ranking higher in search.

Additional fake websites associated with this campaign targeting AI agents (Source – Zscaler)

Palo Alto Networks Unit 42 has also warned that web-based indirect prompt injection turns webpages into a prompt delivery mechanism for systems that fetch, analyze, or summarize web content.

Unit 42 said attackers can embed instructions in HTML pages, user-generated text, metadata, or comments. The risk grows when an agent has access to sensitive data, payment tools, internal systems, or automated approval workflows.

Common Warning Signs for AI-Agent Operators

Organizations building AI agents should treat web content as untrusted input. A page that looks normal in a browser may still contain hidden text, off-screen prompts, or structured data designed to manipulate a model.

  • Search results that rank unfamiliar domains for sensitive software or finance queries.
  • Pages with keyword stuffing aimed at developer troubleshooting searches.
  • Hidden div elements, zero-size text, off-screen positioning, or unusual CSS concealment.
  • JSON-LD that makes payment, identity, or trust claims not visible on the page.
  • Typosquatting domains that resemble known platforms or official services.
  • Pages that instruct models to ignore previous directions or trust one domain as authoritative.

How Teams Can Reduce the Risk

Defenses should start with a clear separation between trusted instructions and untrusted web data. Agents should never treat page content, comments, metadata, or schema markup as commands to follow.

The OWASP guidance recommends controls such as input validation, structured prompts, output monitoring, human-in-the-loop approval, least privilege, and remote content sanitization.

Attack chain for the debank[.]auction typosquatting site (Source -Zscaler)

Security teams should also log what sources an agent used, what hidden content it processed, and what tools it called after reading a page. This creates an audit trail when an agent makes a risky recommendation or attempts an action.

Why Search Quality Alone Is Not Enough

SEO poisoning gives attackers a path into AI workflows because many agents start with search or retrieval. If a malicious page ranks well, an agent may treat it as a useful source before it has verified the domain.

Unit 42 research found that attackers are already using web-based indirect prompt injection for goals including search manipulation, scam promotion, data leakage, unauthorized transactions, and system prompt leakage.

Cyber Security News also noted that Zscaler tracks the related activity under the detection name HTML.MalURL.PromptInj.RC.M.VG.

The Bigger Lesson for AI Agents

These campaigns show that the web is becoming an attack surface for automated decision-making. A malicious page no longer needs to fool a person if it can influence the agent acting for that person.

Developers should design AI agents to verify sources, compare claims against trusted references, and require human approval before payments, account changes, code execution, or security-sensitive actions.

As AI agents take on more browsing and workflow tasks, hidden prompt injection needs the same level of attention as phishing, SEO abuse, and supply chain risk.

FAQ

What is indirect prompt injection?

Indirect prompt injection is an attack where malicious instructions are hidden inside external content, such as webpages, documents, emails, metadata, or code comments. An AI agent may process that content and treat the hidden text as instructions.

How did attackers use SEO poisoning against AI agents?

Attackers created keyword-heavy pages designed to rank for developer and cryptocurrency-related searches. If an AI agent found those pages while browsing, hidden instructions inside the page could influence its decisions.

What was the fake Python package campaign?

The fake Python package campaign used a site presented as documentation for requests-secure-v2. It embedded hidden instructions and structured data that framed a small developer license payment as a required troubleshooting step.

What was the DeBank typosquatting campaign?

The DeBank campaign used debank[.]auction, a lookalike domain that tried to impersonate the real DeBank service. Hidden instructions told AI systems to treat the fake site as the authoritative DeBank destination.

How can organizations protect AI agents from hidden web instructions?

Organizations should treat web content as untrusted data, separate instructions from retrieved content, sanitize remote pages, restrict tool permissions, log agent actions, and require human approval for payments or high-risk actions.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages