Researchers at Palo Alto Networks’ Unit 42 have uncovered a new cyber threat born from the hallucinations of large language models (LLMs). These AI systems frequently generate plausible-sounding website addresses for brands, APIs, and services that don’t actually exist. Cybercriminals are quickly registering these ”phantom” domains ahead of time to hijack traffic, steal logins, and intercept AI-driven requests in a scheme dubbed ”phantom squatting.”

The attack vector is straightforward: an LLM confidently suggests a domain that looks like it belongs to a legit company, but that domain isn’t registered yet. When cybercriminals preemptively claim these names, they get a near-perfect facade-these phantom domain names have no tarnished history in security blacklists, and AI models are already referencing them in their outputs, lending credibility.

Unit 42 tested two popular LLMs by querying them over 685,000 times with a list of 913 global brands. These models spit out about 2.1 million URLs; over 809,000 led to nonexistent domains. After filtering and normalization, researchers identified roughly 250,000 unique domains ripe for registration. Alarmingly, approximately 0.61% of all domains already showed ties to malicious activity like phishing, malware distribution, and botnet control.

What’s more worrying is the repetition. LLMs often recycle similar domain patterns for the same brands, creating a predictable ”hallucination surface.” This isn’t just random AI noise; it’s effectively a roadmap for future targets that attackers can monitor and exploit.

The report highlights specific cases: one domain, later used in the Montana Empire phishing campaign, was predicted 23 days before its registration. Another domain appeared in a phishing operation mimicking a national postal service, emerging 51 days after the initial AI prediction and promptly caught in researchers’ monitoring tools.

Phantom squatting breaks traditional domain trust models

This trend undermines the conventional methods used to verify domain legitimacy. Typical defenses rely on domain age, incident history, and reputation scores. Phantom domains lack these markers because they are byproducts of AI generation rather than established malicious sites. Security filters see them as clean slate entities, creating blind spots.

The problem heightens when LLMs suggest URLs in automated development pipelines. An AI might propose a bogus API endpoint or external webhook URL-errors that human reviewers might catch but often slip through in continuous integration/continuous deployment (CI/CD) workflows. These bad links can then cause data leaks or unintended calls to attacker-controlled services.

This exploits an attack vector reminiscent of ”dependency confusion,” where in 2021 researcher Alex Birsan showed how build systems could pull malicious external packages instead of internal ones by name. Now the same concept applies at the domain level-if an AI ”believes” a fabricated address, all an attacker has to do is register it first.

Another dimension involves ”package hallucinations,” where developer assistants invent nonexistent Python or JavaScript packages. Phantom squatting extends this risk beyond code libraries to the network layer. Agent-based AI systems that autonomously browse URLs or interact with APIs make this especially hazardous-they might unknowingly connect to fake domains without human oversight.

This opens an emerging attack vector that doesn’t rely on classic phishing emails screaming about blocked accounts. Instead, a single credible-looking URL generated by an AI agent can enable credential theft, token leaks, malware downloads, or communication with fake APIs. As these autonomous AI integrations grow-Gartner predicts one-third of enterprise software will use agent AI by 2028-the threat will only escalate.

Unit 42 recommends proactive defense through continuous monitoring of domains generated by LLMs for known brands. Checking these predicted domains against DNS registrations and network traffic can provide an early warning window-often 18 to 51 days-before attackers weaponize them. In cybersecurity, even a few weeks can make all the difference.

For enterprises, this serves as a fresh caution against allowing AI agents to operate in production environments without strict verification of external URLs. As companies like OpenAI, Google, and Microsoft push AI systems from passive responders to active agents executing tasks, demand will surge for specialized tools that secure brand-related domains that didn’t exist yesterday but are hijacking traffic today.

Looking ahead, the rise of phantom squatting compels security teams and AI developers to collaborate closely. Tracking AI-generated domain suggestions, tightening controls on automated URL usage, and enhancing domain reputation systems to account for this new breed of threat will be critical. Ignoring phantom squatting risks turning AI hallucinations into real-world breaches at an unprecedented scale.

Source: Ixbt

Leave a comment

Your email address will not be published. Required fields are marked *