TLDR: Radware’s Cyber Threat Intelligence (CTI) team has issued a high-confidence alert regarding malicious actors actively spoofing legitimate AI agents from major providers like OpenAI, Google, Grok, and Anthropic. This new tactic exploits the need for AI agents to use POST requests for interactive functions, bypassing traditional bot mitigation systems and enabling large-scale account takeover (ATO) and financial fraud attacks. The cybersecurity industry faces a ‘fractured trust model’ due to inconsistent AI agent verification methods, with some agents being trivially spoofable.
Radware’s Cyber Threat Intelligence (CTI) team has uncovered a significant and evolving threat in the cybersecurity landscape: malicious actors are increasingly spoofing the identities of legitimate AI agents to circumvent existing bot defense mechanisms. This alarming trend, identified with high confidence, targets interactive AI agent modes deployed by major platforms such as OpenAI, Google, Grok, and Anthropic in 2024-2025.
These advanced AI agents, including OpenAI’s ChatGPT Agent, Google Gemini, Grok’s agent mode, and Anthropic Claude, require POST request permissions for transactional capabilities like booking hotels or purchasing tickets.
This requirement fundamentally breaks traditional bot security assumptions, which typically restrict ‘good bots’ to GET-only requests.
Traditional bot mitigation solutions have relied on three primary parameters: User Agent (UA) verification, IP address validation against published ranges, and limiting good bots to GET-only requests. However, the introduction of interactive AI agents that can fully render dynamic web applications and perform state-changing actions has rendered these methods inadequate.
The gap between legitimate and malicious bot traffic patterns has significantly narrowed, creating a ‘detection blind spot’ for security teams.
Radware’s CTI team highlights six critical risk factors driving this new wave of attacks:
1. Economic Pressure to Comply: Businesses are incentivized to grant broad access to AI agents to maintain visibility in emerging e-commerce and customer service channels, potentially weakening security controls.
2. Static Verification Methods: Current bot mitigation systems’ reliance on UA strings and IP ranges is insufficient against modern, sophisticated threats.
3. JavaScript Rendering: Legitimate AI bots can fully render dynamic web applications, accessing interactive components previously invisible to simpler bots.
4. POST Request Allowlisting: Security policies must now permit POST requests from identified AI bots, undermining the fundamental assumption that good bots only read data.
5. Spoofing Simplicity: Attackers can easily spoof user agents (e.g., ChatGPT) and employ residential proxies or IP spoofing to be classified as trusted AI bots with POST permissions.
6. Expected Traffic Surge: Anticipated increases in legitimate AI agent traffic create an environment where malicious bots can masquerade unnoticed.
Organizations in financial services, e-commerce, ticketing and travel, and healthcare are at the highest risk due to the direct monetary impact or critical nature of identity verification in these sectors.
The core of the problem lies in a ‘fractured trust model’ for AI agent identification. While Google (Google-Extended) offers strong verification via DNS lookups and published IP ranges, and OpenAI (ChatGPT Agent) sets a ‘gold standard’ with cryptographic HTTP Message Signatures (RFC 9421), other providers present weaker links. Anthropic (ClaudeBot) and Grok (xAI-Web-Crawler) rely solely on User-Agent strings and do not publish official IP ranges, making them trivially easy to spoof.
To counter these threats, Radware recommends a comprehensive security approach:
Adopt a Zero-Trust Policy: Implement rigorous, AI-resistant challenges like behavioral CAPTCHAs or proof-of-work checks for all automated clients attempting state-changing (POST) requests.
Treat User-Agent as Untrustworthy: Any agent relying solely on a User-Agent string for identification should be considered unverified by default.
Enforce Rigorous DNS and IP-Based Checks: Conduct two-way DNS lookups and dynamically update IP allow-lists from official sources, especially for agents like Claude and Grok.
Prioritize Cryptographic Verification: Implement and trust methods like OpenAI’s HTTP Message Signatures as the highest-trust signal.
Prioritize Business Logic Abuse (BLA) Defenses: Shift from static detection to dynamic behavioral monitoring that analyzes how bots interact with applications.
Focus on Grok and Claude Spoofing: Due to their lack of specific IP ranges, these services are particularly vulnerable to impersonation efforts.
Also Read:
- AI-Powered Cyber Threats Escalate Against Manufacturing Sector, Prompting Increased AI Adoption for Defense
- Global Firms Grapple with AI Cyber Threats: Only 10% Prepared, Accenture Report Reveals
The cybersecurity industry is responding with cryptographic authentication standards (IETF Web Bot Auth), but current implementation gaps create immediate risks for organizations. This evolving threat landscape necessitates a proactive and adaptive defense strategy to protect against sophisticated AI bot impersonations.
