Hackers Can Use GenAI to Change Loaded Clean Page Into Malicious within Seconds

[Parkinsond]

Content source

https://cybersecuritynews.com/hackers-can-use-genai-to-change-loaded-clean-page/

A new and alarming threat has emerged in the cybersecurity landscape where attackers combine artificial intelligence with web-based attacks to transform innocent-looking webpages into dangerous phishing tools in real time.

Security researchers discovered that cybercriminals are now leveraging generative AI systems to create malicious code that loads dynamically after users visit seemingly safe websites.

This attack vector represents a significant evolution in web-based threats, making detection and prevention far more challenging for traditional security solutions.

Since the malicious code is assembled and executed only at runtime, it leaves no detectable static payload behind.

Hackers Can Use GenAI to Change Loaded Clean Page Into Malicious within Seconds

Attackers now use AI to turn safe-looking webpages into live phishing tools, loading malicious code dynamically via public AI APIs.

cybersecuritynews.com

 

[Sampei.Nihira]

Yes, a perfect example of the importance of the browser in security configuration.
Meticulous control of scripts/frames in the browser allows you to nip all types of threats in the bud.

@Andy Ful

highlighted in another thread how DNS is also important in terms of prevention.
The browser comes right after that.

 

[Divergent]

Execution Flow
User visits a benign-looking URL.

Browser executes a script to fetch data from an AI API.

The API receives a "jailbreak" prompt requesting phishing code.

The API returns functional malicious JavaScript.

The browser executes the returned string (likely via eval() or Function() constructors).

Mitigation & Defense Strategy
Traditional antivirus (AV) and static analysis are ineffective against this threat. Defense must focus on Runtime Enforcement and Policy Restrictions, aligning with NIST SP 800-53 (System and Communications Protection).

Strict Content Security Policy (CSP) (Critical) The most effective defense is to prevent the browser from talking to unauthorized third-party APIs. Implement a strict CSP header on your web properties.

Content-Security-Policy: default-src 'self'; script-src 'self'; connect-src 'self';

If connect-src does not whitelist the AI provider (e.g., *.googleapis.com), the malicious prompt cannot be sent, and the payload cannot be retrieved.

Network Filtering (Egress Control) For enterprise environments, restrict access to GenAI APIs on endpoints that have no business need for them.

Action
Block specific API endpoints (e.g., api.openai.com/v1/completions) at the Secure Web Gateway (SWG) level for general user subnets.

Behavioral Analysis (Endpoint) Since the code changes, detection must be behavioral.

Indicator
Look for processes or browser tabs initiating high-frequency API calls to LLM services followed immediately by the execution of unverified scripts or DOM manipulation (e.g., sudden creation of login forms).

NIST/MITRE Context

MITRE ATT&CK T1059.007 (JavaScript) Adversaries executing code via the browser.

MITRE ATT&CK T1583 (Acquire Infrastructure) Leveraging web services.

NIST CSF (Protect)
Implement Data Security and Information Protection Processes and Procedures (PR.IP).

Conclusion
This threat represents a shift from "static evasion" (obfuscation) to "dynamic generation." Security teams cannot rely on threat feeds for hash blocking in this context. The defense must pivot to Zero Trust principles regarding web content. Do not allow your internal browsers to communicate with external AI APIs unless explicitly authorized and scoped.

 

[Sampei.Nihira]

It cannot be determined with certainty.
A Noeval() rule as a script in uBo and scriptlet in AG also renders new Function() partially ineffective.
Therefore indirectly ineffective.

The problem is that this rule is quite invasive.
I only use it outside my 9TLDs, and in this case I have only written one exception.
On the other hand,
@LinuxFan58 , if he hasn't changed in the last few hours, uses it more extensively than I do.

If any forum members want to do a specific test:

Test Eval

 

[Allego]

It cannot be determined with certainty.
A Noeval() rule as a script in uBo and scriptlet in AG also renders new Function() partially ineffective.
Therefore indirectly ineffective.

The problem is that this rule is quite invasive.
I only use it outside my 9TLDs, and in this case I have only written one exception.
On the other hand,
@LinuxFan58 , if he hasn't changed in the last few hours, uses it more extensively than I do.

If any forum members want to do a specific test:

Test Eval

 

[oldschool]

µBlock Origin deployed in Advanced User Mode.

 

[Sampei.Nihira]

View attachment 294947

It's obvious.
If you enter this rule in uBo, you will notice that the first test is blocked:

*##+js(noeval)

And all other permitted tests.
In AG, you need to use a different syntax.
In uBoL, however, it is not possible to block Eval() because the extension does not allow script injection.

 

[piquiteco]

Test Eval

Spoiler: Eval(), new Function(), setTimeout(), and setInterval() Blocked!

 

[Sampei.Nihira]

Spoiler: Eval(), new Function(), setTimeout(), and setInterval() Blocked!

View attachment 294949

Only with the extension can you achieve a similar result.
But it is counterproductive for web usability.

I have already written that the Noeval() rule indirectly blocks new Function() as well, and the other two tests are greatly reduced in their functionality.
All this, of course, when they are abused.
The test obviously does not highlight this.

Furthermore, the extension does not allow you to insert exception rules.
With the Noeval rule, however, you can insert exceptions.

So here is my personal advice.
Do not use the extension.