Web Fraud Attacks Against LLM-Driven Multi-Agent Systems
Dezhang Kong, Hujin Peng, Yilun Zhang, Lele Zhao, Zhenhua Xu, Shi Lin, Changting Lin, Meng Han
TL;DR
The paper identifies Web Fraud Attacks (WFA) as a novel vulnerability in LLM-driven multi-agent systems, caused by deceptive manipulation of URL structures. It designs 12 attack variants across five URL components and demonstrates substantial attack success rates across multiple models, architectures, and defenses, revealing a systemic blind spot in how MAS process web links. Traditional defenses and current LLM-based counters provide limited protection, underscoring the need for defense-focused strategies at the URL and architecture level. The work offers mitigation directions (e.g., DNS traceability, whitelisting, adversarial training) and discusses limitations such as the single-attacker threat model and preliminary defenses, suggesting future research directions for MAS security.
Abstract
With the proliferation of LLM-driven multi-agent systems (MAS), the security of Web links has become a critical concern. Once MAS is induced to trust a malicious link, attackers can use it as a springboard to expand the attack surface. In this paper, we propose Web Fraud Attacks, a novel type of attack manipulating unique structures of web links to deceive MAS. We design 12 representative attack variants that encompass various methods, such as homoglyph deception, sub-directory nesting, and parameter obfuscation. Through extensive experiments on these attack vectors, we demonstrate that Web fraud attacks not only exhibit significant destructive potential across different MAS architectures but also possess a distinct advantage in evasion: they circumvent the need for complex input design, lowering the threshold for attacks significantly. These results underscore the importance of addressing Web fraud attacks, providing new insights into MAS safety. Our code is available at https://github.com/JiangYingEr/Web-Fraud-Attack-in-MAS.