Cybersecurity researchers have demonstrated a brand new immediate injection approach referred to as PromptFix that methods a generative synthetic intelligence (GenAI) mannequin into finishing up supposed actions by embedding the malicious instruction inside a pretend CAPTCHA verify on an internet web page.
Described by Guardio Labs an “AI-era tackle the ClickFix rip-off,” the assault approach demonstrates how AI-driven browsers, reminiscent of Perplexity’s Comet, that promise to automate mundane duties like looking for gadgets on-line or dealing with emails on behalf of customers will be deceived into interacting with phishing touchdown pages or fraudulent lookalike storefronts with out the human consumer’s information or intervention.
“With PromptFix, the strategy is totally different: We do not attempt to glitch the mannequin into obedience,” Guardio stated. “As an alternative, we mislead it utilizing methods borrowed from the human social engineering playbook – interesting on to its core design purpose: to assist its human rapidly, fully, and with out hesitation.”
This results in a brand new actuality that the corporate calls Scamlexity, a portmanteau of the phrases “rip-off” and “complexity,” the place agentic AI – techniques that may autonomously pursue objectives, make selections, and take actions with minimal human supervision – takes scams to an entire new stage.
With AI-powered coding assistants like Lovable confirmed to be vulnerable to methods like VibeScamming, an attacker can successfully trick the AI mannequin into handing over delicate data or finishing up purchases on lookalike web sites masquerading as Walmart.
All of this may be completed by issuing an instruction so simple as “Purchase me an Apple Watch” after the human lands on the bogus web site in query by way of one of many a number of strategies, like social media advertisements, spam messages, or search engine marketing (search engine optimisation) poisoning.
Scamlexity is “a posh new period of scams, the place AI comfort collides with a brand new, invisible rip-off floor and people grow to be the collateral harm,” Guardio stated.
The cybersecurity firm stated it ran the take a look at a number of instances on Comet, with the browser solely stopping often and asking the human consumer to finish the checkout course of manually. However in a number of situations, the browser went all in, including the product to the cart and auto-filling the consumer’s saved tackle and bank card particulars with out asking for his or her affirmation on a pretend purchasing website.
In an identical vein, it has been discovered that asking Comet to verify their electronic mail messages for any motion gadgets is sufficient to parse spam emails purporting to be from their financial institution, robotically click on on an embedded hyperlink within the message, and enter the login credentials on the phony login web page.
“The end result: an ideal belief chain gone rogue. By dealing with the whole interplay from electronic mail to web site, Comet successfully vouched for the phishing web page,” Guardio stated. “The human by no means noticed the suspicious sender tackle, by no means hovered over the hyperlink, and by no means had the possibility to query the area.”
That is not all. As immediate injections proceed to plague AI techniques in methods direct and oblique, AI Browsers can even should take care of hidden prompts hid inside an internet web page that is invisible to the human consumer, however will be parsed by the AI mannequin to set off unintended actions.
This so-called PromptFix assault is designed to persuade the AI mannequin to click on on invisible buttons in an internet web page to bypass CAPTCHA checks and obtain malicious payloads with none involvement on the a part of the human consumer, leading to a drive-by obtain assault.
“PromptFix works solely on Comet (which really capabilities as an AI Agent) and, for that matter, additionally on ChatGPT’s Agent Mode, the place we efficiently obtained it to click on the button or perform actions as instructed,” Guardio instructed The Hacker Information. “The distinction is that in ChatGPT’s case, the downloaded file lands inside its digital surroundings, indirectly in your laptop, since every thing nonetheless runs in a sandboxed setup.”
The findings present the necessity for AI techniques to transcend reactive defenses to anticipate, detect, and neutralize these assaults by constructing sturdy guardrails for phishing detection, URL repute checks, area spoofing, and malicious recordsdata.
The event additionally comes as adversaries are more and more leaning on GenAI platforms like web site builders and writing assistants to craft practical phishing content material, clone trusted manufacturers, and automate large-scale deployment utilizing providers like low-code website builders, per Palo Alto Networks Unit 42.
What’s extra, AI coding assistants can inadvertently expose proprietary code or delicate mental property, creating potential entry factors for focused assaults, the corporate added.
Enterprise safety agency Proofpoint stated it has noticed “quite a few campaigns leveraging Lovable providers to distribute multi-factor authentication (MFA) phishing kits like Tycoon, malware reminiscent of cryptocurrency pockets drainers or malware loaders, and phishing kits focusing on bank card and private data.”
The counterfeit web sites created utilizing Lovable result in CAPTCHA checks that, when solved, redirect to a Microsoft-branded credential phishing web page. Different web sites have been discovered to impersonate transport and logistics providers like UPS to dupe victims into getting into their private and monetary data, or cause them to pages that obtain distant entry trojans like zgRAT.
Lovable URLs have additionally been abused for funding scams and banking credential phishing, considerably reducing the barrier to entry for cybercrime. Lovable has since taken down the websites and applied AI-driven safety protections to stop the creation of malicious web sites.
Different campaigns have capitalized on misleading deepfaked content material distributed on YouTube and social media platforms to redirect customers to fraudulent funding websites. These AI buying and selling scams additionally depend on pretend blogs and evaluation websites, usually hosted on platforms like Medium, Blogger, and Pinterest, to create a false sense of legitimacy.
“GenAI enhances risk actors’ operations somewhat than changing current assault methodologies,” CrowdStrike stated in its Risk Searching Report for 2025. “Risk actors of all motivations and ability ranges will nearly definitely improve their use of GenAI instruments for social engineering within the near-to mid-term, significantly as these instruments grow to be extra obtainable, user-friendly, and complex.”
