Web link validation in LLM-driven multi-agent systems (MAS) is critically weak, exposing them to external web-based threats. Method: This paper introduces “Web Fraud Attacks”—a novel threat paradigm—comprising 11 stealthy, jailbreak-free attack variants leveraging homograph spoofing, subdomain grafting, parameter obfuscation, and path impersonation to systematically misdirect MAS toward malicious websites. Experiments evaluate these attacks across diverse mainstream MAS architectures. Contribution/Results: The attacks achieve high success rates and strong evasion capabilities, significantly expanding the attack surface. This work uncovers a fundamental security gap in MAS external link handling and establishes the first evaluation framework for web fraud attacks targeting MAS, providing both theoretical foundations and empirical evidence to guide future defense mechanisms.

With the proliferation of applications built upon LLM-driven multi-agent systems (MAS), the security of Web links has become a critical concern in ensuring system reliability. Once an agent is induced to visit a malicious website, attackers can use it as a springboard to conduct diverse subsequent attacks, which will drastically expand the attack surface. In this paper, we propose Web Fraud Attacks, a novel type of attack aiming at inducing MAS to visit malicious websites. We design 11 representative attack variants that encompass domain name tampering (homoglyph deception, character substitution, etc.), link structure camouflage (sub-directory nesting, sub-domain grafting, parameter obfuscation, etc.), and other deceptive techniques tailored to exploit MAS's vulnerabilities in link validation. Through extensive experiments on these crafted attack vectors, we demonstrate that Web fraud attacks not only exhibit significant destructive potential across different MAS architectures but also possess a distinct advantage in evasion: they circumvent the need for complex input formats such as jailbreaking, which inherently carry higher exposure risks. These results underscore the importance of addressing Web fraud attacks in LLM-driven MAS, as their stealthiness and destructiveness pose non-negligible threats to system security and user safety.