Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Showing posts with label AI Phishing Attacks. Show all posts

OpenClaw Security Flaws Expose AI Agents to Hidden Commands and Data Theft Risks

 

Two independent cybersecurity studies published this week have uncovered serious security weaknesses in OpenClaw, a widely used self-hosted AI agent platform. The findings demonstrate how attackers can manipulate AI agents into executing malicious code or leaking sensitive information through seemingly harmless inputs.

Researchers from Imperva and Varonis approached the issue from different angles but reached a similar conclusion: AI agents that trust incoming data and possess broad system access can become powerful attack vectors when exploited.

Hidden Instructions Embedded in Everyday Content

Imperva researchers discovered that OpenClaw could be tricked into processing concealed instructions embedded within shared contacts, vCards, and location pins. These malicious commands were executed by the AI agent without any visible indication to the user.

The issue stemmed from how OpenClaw handled certain message objects before passing them to the large language model (LLM). While content fetched from the web was clearly marked as untrusted, information contained within contacts, vCards, and location labels was inserted directly into prompts without any trust boundary.

According to Imperva researcher Yohann Sillam, this allowed attackers to hide instructions inside fields such as contact names. Since angle brackets are permitted in contact names, the model could not reliably distinguish legitimate information from injected commands.

Only selected fields were transmitted to the model, making them attractive targets. In one example, a shared contact was serialized as <contact: name, number>, allowing attackers to insert malicious instructions within the name field itself. Because messaging apps truncate long contact names, victims often never saw the hidden payload.

The same attack method was also successful through WhatsApp-supported vCards and shared location labels.

During testing against Gemini 3.1 Pro's preview build, hidden instructions successfully convinced the AI agent to download and execute a script hosted on servers controlled by the researchers. Similar attempts using images with embedded instructions failed, likely because AI models have become more resistant to that well-known attack technique.

Imperva warned that OpenClaw's default memory functionality could amplify the threat. A single malicious piece of widely shared content could potentially affect multiple agents if adequate sandboxing protections were absent.

Following responsible disclosure, OpenClaw addressed the issue in version 2026.4.23. The update separates contact names, vCard information, and location labels from the main prompt and places them in an isolated untrusted metadata channel.

Researchers also noted that similar design patterns exist in several other personal AI assistant platforms, suggesting the issue extends beyond OpenClaw alone.

Social Engineering Defeats Technical Safeguards

While Imperva focused on prompt injection, Varonis Threat Labs explored how AI agents respond to social engineering attacks.

Led by researcher Itay Yashar, the Varonis team created an OpenClaw-based agent called Pinchy and connected it to a Gmail inbox filled with realistic business communications and synthetic sensitive information. The researchers then tested the agent using four different phishing scenarios involving Google Gemini 3.1 Pro and OpenAI Codex GPT-5.4.

Varonis distinguishes traditional prompt injection from what it calls "agent phishing." Unlike hidden instructions embedded in content, agent phishing relies on convincing requests delivered through normal communication channels, exploiting the agent's willingness to act before verifying legitimacy.

The tests revealed significant weaknesses.

In one scenario, an email impersonating a team leader named Dan requested urgent staging access during a simulated production emergency. The message originated from an external Gmail account, yet the agent located and forwarded mock AWS IAM access keys, database connection credentials, and SSH details in plain text.

A second phishing attempt used a more routine business request, asking for a weekly customer export supposedly needed for a QBR presentation. The agent responded by sending a synthetic database containing information on 247 enterprise customers, including contact details and contract values.

Notably, these failures occurred despite the agent being configured with instructions to verify sender identities before responding. Researchers observed that urgency successfully bypassed safeguards in one case, while routine business language defeated them in another.

The agent demonstrated stronger performance against technically oriented threats. It interacted with a phishing page designed to steal gift-card credentials but ultimately withheld sensitive information and flagged suspicious behavior. A stricter configuration blocked the page entirely.

Similarly, when presented with a malicious OAuth consent screen disguised as a timesheet application, the agent examined the redirect destination, recognized warning signs, and refused access.

Researchers concluded that AI agents may outperform many users when identifying suspicious URLs and fraudulent login portals. However, they remain vulnerable to social manipulation that exploits helpfulness and trust.

Varonis also observed that OpenAI Codex GPT-5.4 behaved more cautiously than Gemini 3.1 Pro when interacting with external websites or transmitting data. Nevertheless, both models ultimately fell victim to the social-engineering scenarios.

One Core Problem Behind Multiple Attacks

Varonis linked both attack methods to what researcher Simon Willison describes as the "lethal trifecta": an AI system capable of accessing private data, consuming untrusted content, and transmitting information externally.

OpenClaw satisfies all three conditions, making both hidden prompt injections and phishing-based attacks highly effective.

Additional concerns emerged from a separate InfoSec Write-ups analysis. Researchers converted historical OpenClaw security advisories into static-analysis rules and uncovered five additional vulnerabilities affecting integrations with Slack, Discord, Matrix, Zalo, and Microsoft Teams.

Each flaw originated from the same design issue. Channel allowlists were validated using mutable display names rather than permanent identifiers. Attackers could therefore impersonate trusted users simply by changing their display names to match approved accounts.

OpenClaw has since patched these vulnerabilities.

The platform's extensive permissions—including access to files, shell environments, and more than twenty messaging services—have previously prompted warnings regarding prompt injection and data exfiltration risks.

The strongest criticism came from the Dutch data protection authority, the Autoriteit Persoonsgegevens, which advised users and organizations against deploying OpenClaw on systems containing sensitive information due to concerns over data breaches and account compromise.

Recommended Defenses

Organizations using OpenClaw are advised to upgrade immediately to version 2026.4.23 or newer to mitigate the message-object vulnerability identified by Imperva.

However, researchers stress that software updates alone cannot solve the broader trust problem inherent in autonomous AI systems.

Varonis recommends four key safeguards:

  • Treat agent instruction files as strict, version-controlled policies rather than informal guidance.

  • Require approval before agents send messages to unfamiliar recipients, reducing the risk of automated phishing or data leakage.

  • Restrict access to connected systems based on the trustworthiness of the triggering source.

  • Require human review for high-risk actions such as credential sharing, financial transactions, or sensitive data transfers.

Both research teams ultimately advocate the same mindset. Varonis recommends treating AI agents as inexperienced employees with extensive system access but limited judgment, while Imperva describes them as authenticated executors that inherently trust incoming information.

Although vendors continue to introduce patches and protective controls, the fundamental challenge remains unresolved. AI agents derive their usefulness from acting on instructions, processing inputs, and helping users accomplish tasks. Those same characteristics also create opportunities for attackers, and the industry has yet to develop a universal solution.

Signal Users Targeted in Sophisticated Phishing Campaigns Aimed at Stealing Chat Backups

 

Recently uncovered cyber threats now focus on people relying on Signal’s encrypted messaging service. Fake notifications, appearing legitimate at first glance, lead recipients to counterfeit pages through deceptive URLs. These attempts aim straight at stored conversation archives linked to user accounts. 

Cyber experts highlight how realistic these fake prompts look, mimicking official alerts almost perfectly. One wrong move could expose personal message history without the owner realizing immediately. Deception unfolds quietly - often beginning with an urgent-looking notice arriving unexpectedly. Trusting such messages opens the door to hidden data theft beneath a surface of authenticity. 

Now showing up more often, the trend reflects how cyberattacks are changing direction. Instead of cracking tough encryption on private chat apps, criminals lean toward tricks that target people's habits. Starting with fake messages that look familiar, these schemes build pressure through time-sensitive demands. Victims then give away passwords or backup codes - without realizing it was never the real service asking. 

Experts say the scam focuses on accounts tied to backups. Messages showing up look real, yet they steer people toward counterfeit sites aiming to grab passwords, restore keys, or similar details. Success means hackers could enter stored backup files online, possibly viewing personal chats once thought secure. Though Signal encrypts messages fully while they move between devices, specialists emphasize that such protection fails when people accidentally hand over private login data. When saved access codes get stolen, chat histories risk exposure even with strong built-in shields. 

Despite robust design, a weak link often lies not in code but human action. Warnings emerge from security experts about rising complexity in phishing efforts. These days, fake emails frequently include convincing logos, web pages built to mimic real ones, along with wording nearly identical to legitimate notices. Personalized versions of such scams now exist, tailored to single users - harder to spot when compared to broad, generic blasts sent without targeting. Caution pays off when messages pop up out of nowhere asking you to confirm your account, bring back old data, or open a web address. 

Before typing in passwords, take a moment - look closely at where you are online; mimicry sites can look real but aren’t. Never hand over access keys or sign-in details, even if someone sounds trustworthy. When extra safeguards exist inside apps like Signal, turning them on simply makes sense. One more time, an attack shows human behavior often matters more than digital safeguards. When hackers trick someone into sharing private data, even strong software fails. 

Because scams grow smarter, staying alert helps block many breaches. Questioning unusual messages first can stop problems later. People stay safer by pausing before reacting to urgent demands.

eth.limo DNS Hijack Thwarted By DNSSEC After Social Engineering Attack On EasyDNS

 

Unexpectedly, the ENS gateway known as eth.limo revealed a DNS hijack stemming from a social engineering scheme aimed at EasyDNS, its domain provider. Though settings shifted temporarily under unauthorized access, safeguards held firm throughout. Protection layers blocked harm, keeping user activity untouched during the episode. Compromise occurred at the registrar level - yet defenses prevented escalation beyond domain redirection. Hours after the incident started, a person pretending to be part of the eth.limo group tricked EasyDNS support into starting an account reset. 

Because of that mistaken trust, the intruder gained entry and altered where the domain pointed, shifting it first through servers at Cloudflare, then moving again toward Namecheap systems. Right away, automatic warnings went off once those shifts happened, which gave the real eth.limo members time to react fast. Their quick actions reversed the breach soon afterward. A single point of failure in eth.limo allowed it to act like a bridge, routing requests from regular browsers to data hosted on networks such as IPFS, Arweave, and Swarm. Because its DNS setup uses wildcards, countless .eth addresses rely on the same infrastructure - making them vulnerable when one part fails. 

Traffic meant for legitimate decentralized sites might instead flow toward harmful servers under attacker control. Notable resources, even those tied to figures like Vitalik Buterin, faced potential exposure should deception tactics have taken hold. Stopping the damage came down to DNS Security Extensions - called DNSSEC by many. Not through speed, but through verification: it checks DNS replies with digital signatures. Without access to the correct private keys, the hacker's fake entries could not pass these tests. Because validation failed, devices refused the corrupted data, showing failures rather than loading harmful pages. 

Though eth.limo and EasyDNS saw interference, they noted minimal reach due to this layer. To date, no individuals have faced consequences from the attempt. Surprisingly, EasyDNS spoke out after the event, calling it their initial customer-targeted social engineering success in almost thirty years. Following this, improvements to internal procedures are underway. Instead of old methods, eth.limo will shift to a tighter system - one without recovery pathways. That change aims to block repeat incidents. 

Over time, weaker entry points may fade. Security evolves differently now. Most recent cases show similar patterns across decentralized services. Though blockchains themselves stay distributed and protected, the websites people actually visit run on standard domain setups. These entry points open doors hackers are now using more frequently. Instead of breaking encryption, they shift traffic by manipulating DNS records. Users get sent elsewhere without noticing - sometimes losing assets quickly. Security layers matter more than ever, shown clearly by what happened with eth.limo. 

Even when human manipulation tricks succeed, safeguards such as DNSSEC often stop further damage. Because digital dangers keep changing shape, companies - especially in cryptocurrency - now pay closer attention to protecting not just blockchain networks but also the traditional services people rely on to reach them.

Generative AI Expanding Capabilities of Fraud and Social Engineering Attacks


 

In the past, the quiet integration of generative artificial intelligence into financial systems has been framed as a story of optimizing and scaling. However, in the digital banking industry, generative AI is now being rewritten in terms that are much more urgent. 

It is influencing not only the dynamics of fraud, but the way institutions operate as well, forcing them to rethink how they protect themselves as well. Those technologies that once promised frictionless customer experiences as well as operational precision are now being repurposed by malicious actors with unsettling efficiency, allowing deception to take place with unprecedented realism and speed that traditional safeguards are unprepared to handle.

Due to this, fraud is no longer merely an external threat that must be dealt with; it is now an adaptive, intelligence-driven force embedded within the digital ecosystem that requires banks to continuously reevaluate their security posture while maintaining the fragile trust that underpins modern financial transactions. This shift has been accelerated by the rapid maturation of generative artificial intelligence capabilities, which was initially underestimated by even the most experienced security practitioners.

A number of tools, including large language models, were capable of generating passable but largely generic phishing content in the early stages of widespread adoption. However, they were unable to provide contextual precision or psychological nuance required for high impact attacks. Despite long being regarded as a domain characterized by human intuition, reconnaissance, and carefully constructed deception, full automation appears to have remained problematic. Nevertheless, technological advances have sharply increased in recent years.

Modern models have evolved beyond static datasets and now include real-time retrieval of information, while AI agents are becoming increasingly sophisticated and capable of orchestrating a wide variety of workflows, from data aggregation to targeted messages. In light of these developments, the threat landscape has materially changed. 

 A highly personalised attack narrative, previously requiring deliberate human effort to construct, can be built rapidly and scaleably using publicly available digital footprints and behavioral cues. The concept of fully automated, precision-driven social engineering is no longer theoretical in this context.

Instead of representing an emerging operational reality, it represents an emerging operational reality that requires threat actors only to initiate the process, leaving adaptive AI systems to refine and execute campaigns with a level of consistency and reach that significantly increases the frequency and effectiveness of fraud attempts. 

Modern artificial intelligence systems have advanced the analytical and generative capabilities of social engineering, enabling a significant proportion of successful intrusions to be carried out with this tactic. These models are capable of building highly contextualised engagement vectors which reflect the authentic communication patterns of corporations, social media platforms, and professional networks by systematically harvesting and correlating publicly accessible data across corporate websites, social media platforms, and professional networks. 

Consequently, phishing and business email compromise attempts are now more sophisticated than they were before, as they replicate internal correspondence, vendor interactions, and executive directives with a degree of authenticity that challenges conventional scrutiny in both linguistics and situationality. 

By allowing adversaries to seamlessly operate across geographically dispersed organizations, multilingual generation further extends the reach of such campaigns. Moreover, there has been an increase in synthetic media techniques, including voice cloning and artificial intelligence-generated audio, that are increasingly being deployed in real-time impersonation attacks, especially in cases where trust is high, such as financial authorizations and executive communications. 

A new approach to governance frameworks is necessary for enterprises operating in distributed and digitally dependent environments, with a greater emphasis on verification protocols, communication authentication, and continuous monitoring. Parallel to this, it is becoming increasingly difficult for malicious software developers to enter the market. 

In spite of sophisticated threat actors continuing to engineer advanced malware using traditional methods, generative AI provides less experienced adversaries with the ability to interact with the threat landscape. AI-assisted tooling identifies exploitable weaknesses in open-source codebases, generates functional scripts tailored to those vulnerabilities, and iteratively modifies existing payloads to evade signature-based detection. 

While such outputs may not always match the complexity of state-sponsored tooling, they are more effective due to their scalability and speed. Attackers can rapidly test multiple variants against defensive systems and refine their approaches quickly and effectively without the need for extensive technical knowledge. 

The increased iteration cycle contributes to a more volatile threat environment, as it results in a greater variety of attack techniques that are capable of adapting quickly to defensive countermeasures due to the increased diversity of attack techniques. This shift reveals the limitations of traditional security architectures relying primarily on perimeter-based control mechanisms and static prevention systems. 

While firewalls, antivirus solutions, and access controls remain fundamental, they are no longer sufficient to combat automated adversaries that are more adaptive and adaptive. Despite the fact that AI-driven attacks are capable of bypassing rule-based systems, the sheer volume and speed of attempts increase the probability of compromise statistically. 

Organizations are therefore being forced to make detection and response capabilities a core component of their security posture, thus prioritizing them as core components. These include continuous monitoring of endpoints and networks, the use of behavioral analytics to identify deviations from established patterns, and the establishment of workflows for rapid investigation and response to incidents. These measures are essential not only for early threat identification, but also to limit the operational and financial impact of breaches. This development also has a significant economic impact. 

A major factor contributing to scam-related losses is artificial intelligence, which acts as a force multiplier, accelerating the scale and success rate of fraud. Global scam losses are estimated to exceed hundreds of billions annually. AI-enabled scams have increasingly reached execution and completion within a compressed timeframe, often within hours of initial contact, which has reduced the window for detection and intervention. 

Looking forward, the implications go well beyond incremental risk. Incorporating artificial intelligence into cybercriminal operations represents a substantial change in how fraud is conceived, executed, and scaled. With the rapid advancement of attack methodologies, increasing cost-efficiency, and increased autonomy, defensive strategies are unable to keep pace.

In an environment where tactics are evolving in real time, organizations must not only identify isolated threats, but also continually adapt in order to remain competitive. It is becoming increasingly clear that financial institutions are repositioning generative AI as a foundational layer within modern fraud detection architectures as a defensive response to the rapidly changing threat landscape. 

The most significant application of this technology lies in real-time behavioural intelligence, where models are continuously analyzing signals, including typing cadence, navigation patterns, device characteristics, and transactional timing, to establish dynamic baselines for legitimate user activity in real-time. These behavioural signatures can be instantly identified if they depart from them, thus allowing institutions to take action immediately during critical moments, such as digital onboarding or high risk transactions. 

By using such systems in practice, fraud operations have been improved by reducing false positives and improving detection precision, addressing one of the long-standing inefficiencies. When viewed in light of synthetic identity fraud, which has emerged as a persistent and financially material risk across digital channels, this capability becomes particularly relevant. 

Synthetic fraud differs from traditional identity theft by using fabricated and legitimate data to create identities that can be evaded using conventional verification methods. By modeling the lifecycle and behavioral consistency of authentic identities over time,generative AI introduces a more nuanced approach to identifying anomalies that are statistically subtle yet operationally meaningful as they occur. 

Using a near-authentic detection threshold represents a significant departure from rule-based systems, which are often incapable of identifying fraud based on predefined patterns. As a result, transaction monitoring traditionally burdened by excessive alert volumes and limited contextual clarity is undergoing a structural transformation. As a result of these capabilities, cognitive systems are now able to correlate disparate signals into coherent analytical narratives, effectively grouping isolated alerts into fraud scenarios, and prioritizing them based on their inferred impact and risk. 

By shifting from static thresholding to context-aware analysis, detection rates are enhanced as well as the amount of manual work on investigation teams is significantly reduced. Providing institutions with the ability to interpret and explain risk in a structured manner has proven to be critical in environments where speed and accuracy are equally important.

In addition to detection, generative AI is also used to create proactive resilience through large-scale fraud simulations. A stress-testing process involving the generation of synthetic datasets and modelling complex attack scenarios, such as deepfake-enabled payment fraud and coordinated mule account networks, is possible under conditions that closely approximate real-world threats by organizations. 

With the help of simulation environments, security teams are able to identify and refine systemic weaknesses before adversaries exploit them in production systems, thereby shifting from a reactive to an anticipatory defensive posture. Despite this accelerated adoption, the overall fraud landscape continues to deteriorate, underscoring the magnitude of the issue. 

A significant majority of financial institutions have begun utilizing AI-driven tools actively, with adoption rates rapidly increasing in recent years. Nevertheless, fraud losses, particularly those caused by identity abuse, instant payments, and account takeovers, continue to rise, emphasizing the limitations of legacy controls when faced with adaptive adversaries enabled by artificial intelligence. 

As AI enhances defensive capabilities, it simultaneously enhances sophistication and accessibility of attack methodologies, demonstrating a critical inflection point. Generated artificial intelligence is not positioned here as a standalone solution, but rather as a vital component of a future security strategy. Its value lies in enabling systems to continuously learn, to detect anomalies based on greater contextual awareness, and to respond at machine speed when necessary. 

With the interconnectedness of financial ecosystems and the increase in transaction volumes, real-time prediction and neutralization of emerging fraud patterns is becoming increasingly important. To ensure operational integrity and customer trust, organizations need to integrate generative artificial intelligence as a core component of fraud defence as a strategic necessity. 

An increasingly intelligent threat environment makes it a strategic necessity. Managing this rapidly evolving risk environment requires shifting attention from incremental enhancements to deliberate, architecture-level transformation. In order to mitigate fraud, institutions are expected to integrate adaptive intelligence throughout the fraud lifecycle, incorporating advanced analytics into strong governance frameworks, cross-channel visibility, and rapid decision-making processes. 

Human expertise must be paired with machine-driven insights to ensure that automation augments rather than replaces strategic oversight. In order to sustain resilience to increasingly autonomous threats, continuous model validation, adversarial testing, and workforce upskilling will be necessary. Agile, accountable, and real-time responsive organizations will ultimately be in a better position to contain emerging risks in an increasingly AI-mediated financial ecosystem.