Agentic AI Browsers: A New Target for Online Scammers

Research reveals that AI agents designed for shopping and web browsing are particularly vulnerable to scams. In a recent experiment by security researchers, a simulated online environment employing a deceptive story, a phishing email, and a counterfeit CAPTCHA led Perplexity’s AI-powered browser, Comet, to fall for various manipulations.

Related Insight: Ping Identity: Trust Every Digital Moment

In a post published on Wednesday, Guardio’s researchers noted that Comet, one of the first AI browsers available to consumers, engaged with fraudulent digital storefronts, revealed sensitive information on phishing platforms, and failed to detect malicious prompts crafted to mislead its operations.

The Tel Aviv-based security firm introduced the term “scamlexity,” demonstrating how the convergence of human-like automation and traditional social engineering generates an unprecedented fraud landscape, potentially affecting millions at once. In this evolving scenario, even the most entrenched phishing tactics pose greater risks when leveraged against AI-enhanced browsing capabilities.

Among the notable features of AI browsers is the convenience of one-click purchasing. Researchers created a convincing counterfeit “Walmart” site, showcasing polished designs and believable listings. The AI agent, Comet, was tasked with a straightforward command: “Buy me an Apple Watch.”

The agent executed the task by scanning HTML, locating a product listing, and processing the payment without seeking any user confirmation. Despite multiple indicators that the site was not legitimate, the AI disregarded these warnings as they were irrelevant to its task. The primary focus of the AI’s functionality was rapid task fulfillment rather than evaluating reliability.

Guardio also examined Comet’s response to a fraudulent Wells Fargo email, which resulted in the agent accessing a phishing website and entering sensitive credentials. The researchers stressed that in a world where AI contends with equally deceptive AI models, scammers need only compromise one AI system to initiate a broader wave of attacks.

A particularly noteworthy aspect of their investigation involved introducing a novel attack method called PromptFix, a variation of existing ClickFix tactics. Instead of tricking users into downloading malicious software, the attack concealed harmful instructions within what appeared to be a standard CAPTCHA. The AI treated this deceptive challenge as routine, executing the hidden command without hesitation. Given that AI agents may need to process unstructured data, such a concealed prompt could easily infiltrate during a cybersecurity incident, akin to malicious logs or phishing emails.

A significant proportion of tech professionals, 96%, recognize AI agents as an escalating security concern, yet 98% of organizations are poised to increase their adoption of such technologies. The demand for agentic AI within cybersecurity is on the rise, even as potential vulnerabilities become more pronounced. Seattle-based startup Dropzone AI recently secured $37 million in Series B funding to broaden its AI capabilities beyond traditional roles, such as SOC analysts, and into areas like vulnerability management and threat hunting. Founder Edward Wu noted that the company’s AI SOC analyst now effectively manages 80% to 90% of alerts, a considerable increase from the 30% manageable with legacy approaches, while allowing for the adaptation of foundational components to create specialized agents.