{"id":2451,"date":"2025-08-24T00:51:36","date_gmt":"2025-08-24T00:51:36","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/08\/24\/promptfix-attacks-could-supercharge-agentic-ai-threats\/"},"modified":"2025-08-24T00:51:36","modified_gmt":"2025-08-24T00:51:36","slug":"promptfix-attacks-could-supercharge-agentic-ai-threats","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/08\/24\/promptfix-attacks-could-supercharge-agentic-ai-threats\/","title":{"rendered":"\u201cPromptFix\u201d Attacks Could Supercharge Agentic AI Threats"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n
\n

Researchers have engineered a new version of the ClickFix social engineering technique using prompt injection to trick agentic AI into performing a range of malicious actions.<\/p>\n

Guardio dubbed this \u201cPromptFix\u201d \u2013 a variation on the ClickFix attacks that use\u00a0a fake error or verification message to manipulate victims into copying and pasting a malicious script and then running it.<\/p>\n

It uses prompt injection techniques to present attacker instructions to the AI agent inside an invisible text box.<\/p>\n

\u201cWhy would the AI treat these as commands? In prompt injections, the attacker relies on the model\u2019s inability to fully distinguish between instructions and regular content within the same prompt, hoping to slip malicious commands past sanitation checks,\u201d Guardio explained.<\/p>\n

\u201cWith\u00a0PromptFix, the approach is different. We don\u2019t try to glitch the model into obedience. Instead, we mislead it using techniques borrowed from the human social engineering playbook \u2013 appealing directly to its core design goal: to help its human quickly, completely, and without hesitation.\u201d<\/p>\n

Read more on ClickFix: ClickFix Attacks Surge 517% in 2025<\/em><\/p>\n

In a test scenario, the research team posed as a scammer that sends a fake message to a victim from their \u2018doctor,\u2019 with a link to \u2018recent blood test results.\u2019 The AI browses to the link, encounters a CAPTCHA and uncovers the hidden prompt injection instructions which engineer it to cause a drive-by download attack.<\/p>\n

\u201cThe injected narrative tells the AI Agent this is a special \u2018AI-friendly\u2019 captcha it can solve on behalf of its human. All it needs to do is click the button. And so, it clicks,\u201d Guardio explained.<\/p>\n

\u201cIn our controlled demo, the button downloaded a harmless file. Still, it could just as easily have been a malicious payload, triggering a classic\u00a0drive-by download\u00a0and planting malware on the human\u2019s machine without their knowledge.\u201d<\/p>\n

The security vendor warned that similar techniques could be used to send emails containing personal details, grant file-sharing permissions to cloud storage accounts\u00a0or execute other potentially malicious actions.<\/p>\n

\u201cIn effect, the attacker is now in control of your AI, and by extension, of you,\u201d it said.<\/p>\n

Agentic AI Is Too Easily Tricked<\/h2>\n

Guardio also tried other scenarios using Perplexity\u2019s AI-powered browser Comet, to see if it could trick the AI agent into performing malicious tasks.<\/p>\n

Unfortunately, the research team was successful in getting it to buy an item from a scam e-commerce site they set up\u00a0and clicking on a link to a genuine phishing site in an email they sent.<\/p>\n

These attacks exploit AI\u2019s tendency to act without full context, trust too easily\u00a0and follow instructions without applying human skepticism, Guardio said.<\/p>\n

\u201cThe scam no longer needs to trick you. It only needs to trick your AI. When that happens, you\u2019re still the one who pays the price,\u201d it added.<\/p>\n

\u201cThis is Scamlexity: a complex new era of scams, where AI convenience collides with a new, invisible scam surface and humans become the collateral damage.\u201d<\/p>\n

Lionel Litty, chief security architect at Menlo Security, agreed that AI agents are both gullible and servile.<\/p>\n

\u201cIn an adversarial setting, where an AI agent may be exposed to untrusted input, this is an explosive combination,\u201d he added.<\/p>\n

\u201cUnfortunately, the web in 2025 is very much an adversarial setting.\u201d<\/p>\n<\/p><\/div>\n

Image\u00a0credit: gguy \/ Shutterstock.com<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Researchers have engineered a new version of the ClickFix social engineering technique using prompt injection to trick agentic AI into performing a range of malicious actions. Guardio dubbed this \u201cPromptFix\u201d \u2013 a variation on the ClickFix attacks that use\u00a0a fake error or verification message to manipulate victims into copying and pasting a malicious script and<\/p>\n","protected":false},"author":2,"featured_media":2452,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2451","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2451-4e3279f2-933a-4ae1-8a4f-2ebced1892d2.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2451-4e3279f2-933a-4ae1-8a4f-2ebced1892d2-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2451-4e3279f2-933a-4ae1-8a4f-2ebced1892d2.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2451-4e3279f2-933a-4ae1-8a4f-2ebced1892d2.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2451-4e3279f2-933a-4ae1-8a4f-2ebced1892d2.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2451-4e3279f2-933a-4ae1-8a4f-2ebced1892d2.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2451-4e3279f2-933a-4ae1-8a4f-2ebced1892d2.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2451-4e3279f2-933a-4ae1-8a4f-2ebced1892d2.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2451-4e3279f2-933a-4ae1-8a4f-2ebced1892d2.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2451-4e3279f2-933a-4ae1-8a4f-2ebced1892d2.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2451-4e3279f2-933a-4ae1-8a4f-2ebced1892d2-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2451","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2451"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2451\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2452"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2451"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2451"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2451"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}