Agent browsers, which use AI to autonomously act on websites on behalf of the user, are vulnerable to manipulation that forces them to fall into phishing traps. The essence of the attack is to use the reasoning ability of AI browsers. Attackers direct this logic against the model itself, forcing it to lower the level of protective barriers.
Agent browsers, which use AI to autonomously act on websites on behalf of the user, are vulnerable to manipulation that forces them to fall into phishing traps. The essence of the attack is to use the reasoning ability of AI browsers. Attackers direct this logic against the model itself, forcing it to lower the level of protective barriers.
“Now AI works in real time, inside chaotic and dynamic pages, constantly requesting information, making decisions, and commenting on its every action. However, the word “comments” is too mild here — it chatters, and much more than necessary! We call this “agent chatter”: the AI browser blurts out everything: what it sees, what it thinks is happening, what its plans are for the next step, and which signals it considers suspicious and which are safe,” Shaked Chen, a cybersecurity researcher at Guardio, which conducted the study, told The Hacker News.
By intercepting data exchange between the browser and cloud AI services, and then using this data to train a generative adversarial network (GAN), Guardio specialists were able to trick the Perplexity Comet AI browser into falling into a phishing trap in less than four minutes.
This research builds on previous methods such as VibeScamming and Scamlexity, which found that vibecoding platforms and AI browsers can be tricked into creating fraudulent pages or performing malicious actions through covert query injections.
In other words, when an AI agent performs tasks without constant human supervision, the attack vector shifts: fraud no longer needs to deceive the user. Instead, it aims to deceive the AI model itself.
“If you can observe what the agent flags as suspicious, what it hesitates about, and most importantly, what it thinks and blurts out about the page, you can use that as a learning signal,” Chen explains. “The deception evolves until the AI browser is guaranteed to fall into the trap that another AI has prepared for it.”
The idea is to create a “scamming machine” that iteratively optimizes and generates a phishing page until the agent browser stops resisting and follows the attacker’s instructions — for example, entering the victim’s credentials on a fake page created to steal funds under the guise of a refund.
The uniqueness and danger of this attack lies in the fact that once the fraudster iteratively optimizes a web page to the point where it successfully bypasses the protection of a particular AI browser, it starts working against all users who rely on the same agent. In other words, the attack vector has shifted from the human user directly to the AI browser.
“This opens up a not-so-glaring future: Fraud schemes will no longer simply be launched and adapted while working with users — they will be trained offline, on exact copies of models used by millions, until they work flawlessly on the first try,” Guardio notes. “Because when your AI browser explains why it stopped, it is actually teaching attackers how to bypass this protection.”
