Major AI Agents Are Being Spoofed - and It Could Put Your Site at Risk

Summary

Radware research reveals that malicious bots are spoofing popular AI agents such as ChatGPT, Claude and Gemini, masquerading as legitimate agents that require POST permissions for transactional actions like booking or purchasing. The rise of genuine AI agents that can write to sites has shattered the long‑standing security assumption that bots only read, leaving finance, e‑commerce, healthcare and travel sites especially exposed. Because chatbots use disparate verification methods, spoofed agents can slip past defenses and exploit the same write privileges granted to trusted bots. Researchers recommend a zero‑trust approach for state‑changing requests, AI‑resistant CAPTCHAs, treating all user‑agents as untrusted, and strict DNS/IP validation to mitigate the risk.