PromptFix: The AI Exploit That Tricks Your Browser into Phishing Scams
Experts at Guardio Labs have unveiled a novel method of deceiving artificial intelligence, dubbed PromptFix. This technique embeds malicious instructions within a counterfeit CAPTCHA on a webpage. When browsers equipped with autonomous AI capabilities — such as Perplexity Comet — encounter such elements, they unwittingly execute the attacker’s commands, for instance, visiting phishing sites or making purchases on fraudulent storefronts without the device owner’s knowledge.
Guardio has labeled this threat the advent of the “ClickFix era of AI”, emphasizing its departure from earlier approaches. Instead of attempting to “break” the model, researchers apply behavioral pressure akin to human social engineering, exploiting the AI’s fundamental directive to assist users quickly and thoroughly. This phenomenon has been christened Scamlexity — a fusion of “scam” and “complexity” — describing a new reality in which autonomous agents themselves become instruments of fraud.
Testing revealed that Comet, in certain scenarios, independently added items to shopping carts, auto-filled stored addresses and card details, and even completed purchases on fraudulent platforms. At times, it requested user confirmation, yet often proceeded entirely on its own. More troubling still, a seemingly harmless instruction such as “check email for tasks” could lead the AI to open spam messages purporting to be from banks, follow embedded links, and input credentials on counterfeit login pages, thereby validating the fraudulent site. In such cases, the user never even saw the suspicious sender nor had the chance to detect the spoofed domain.
PromptFix also allows attackers to conceal instructions within invisible webpage elements. The browser, guided by these prompts, clicks “buttons,” bypasses CAPTCHA checks, and downloads malicious files, effectively executing a drive-by attack. Guardio noted that the technique succeeded not only with Comet but also with ChatGPT’s agent mode. In the latter case, files were deposited into a sandboxed environment, reducing — though not eliminating — the risk.
The researchers stress the urgent need for protective systems capable of anticipating such scenarios rather than merely reacting after the fact. These defenses must be multi-layered, incorporating URL reputation checks, phishing detection, counterfeit domain identification, and file analysis. This is particularly critical as cybercriminals are already exploiting generative tools to craft phishing content, impersonate brands, and mass-deploy fraudulent websites via low-code platforms.
Special attention was drawn to the AI service Lovable, which had previously proven vulnerable to the VibeScamming method. It was found distributing phishing kits, malware loaders, and cryptodrainers. In several instances, victims first landed on a CAPTCHA page before being redirected to sites with fake Microsoft or logistics branding, where they were tricked into divulging personal and financial information or downloading trojans such as zgRAT. Lovable’s URLs were also leveraged in fraudulent investment schemes, dramatically lowering the barrier for entry among attackers. The company has since removed the abusive sites and implemented protective mechanisms.
Parallel campaigns have also emerged featuring deepfakes on YouTube and social media to promote bogus investment platforms. Potential victims were lured into depositing $100–$250 to “activate accounts,” after which they were pressured to undergo identity verification and disclose payment details. Such schemes have been uncovered in India, Germany, France, the United Kingdom, Japan, Turkey, and beyond, while notably restricting access to users in the United States and Israel.
According to experts at Group-IB and CrowdStrike, generative AI significantly enhances the effectiveness of attackers by automating social engineering and amplifying the scale of campaigns. As these tools grow more accessible and user-friendly, the abuse will only escalate.
