AI Coding Agents Power a New Generation of Fraud Across Ad Ecosystem
A malvertising campaign impersonating Skyscanner shows how AI tools are giving low-sophistication attackers high-sophistication reach driving the shift toward fully agentic malvertising campaigns
In early March, a malvertising campaign was detected targeting users with a network of suspicious sites designed to mimic Skyscanner, a globally recognized travel platform. GeoEdge’s security team found that this wasn’t a sloppy knockoff. Instead, analysis of the code suggests the attackers used an AI coding agent to clone Skyscanner’s frontend almost entirely, creating a fully functional booking experience that could easily fool users.
It was a near-perfect replica with one telltale detail the attackers couldn’t scrub: A fingerprint left behind by the automated coding agent used to clone the site.
AI-generated inline comments throughout the codebase.
Figure 1: The fraudulent site’s code, with AI-style inline comments revealing the use of an automated agent.
The Attack, Explained
The campaign operated through a network of lookalike domains skyscannerpass.com, skyscannerz.com, and skyscannerbr.com each targeting users by region and language. Malicious ads drove traffic directly to these pages, where visitors were met with all the familiar site functionality: search bars, airline logos, and realistic-looking flight results.
Users arriving at one of these domains were presented with fake deals advertising 40% discounts: a social engineering tactic designed to create urgency, lower user skepticism, and drive payment submission. The three identified domains also targeted users by language and region, indicating a geographically segmented campaign tailored to specific victim profiles.
The booking flow was real enough to feel legitimate. The payment capture on the other side was not. Users who completed the process handed their credit card information directly to the attackers.
Figure 2: The fraudulent checkout page, hosted on skyscannerpass.com, prompts users to enter full credit card details, including card number, expiry, CVV, and national ID.
The attackers’ imitation was polished and highly believable with a replicated CAPTCHA verification page, which the real site uses as a bot-detection layer. On the legitimate site, this system is active and connected. On the fraudulent domains, it is purely cosmetic: the interface is there, but the underlying service is not functioning. GeoEdge’s security team confirmed this disconnect during analysis.
Figure 3: A CAPTCHA page on the fraudulent domain mimics Skyscanner’s real bot-detection interface, but the underlying verification service is not connected or functional.
Entering the Agentic Malvertising Era
AI coding agents have collapsed the time and skill required to reverse-engineer a production website from days to hours. What was once the domain of well-resourced threat actors is now accessible to anyone with a browser and a prompt.
What this creates is a new category of threat: agentic malvertising. GeoEdge is tracking this class of attack under the name MirrorAgent: campaigns where attackers use AI coding agents to clone legitimate websites and serve them through programmatic ad channels to steal user data. The fraudulent Skyscanner domains weren’t a one-off; they were replicated across multiple regional targets with localized content and tailored ad routing. If the evidence holds, the attacker’s role wasn’t to build anything. It was to prompt, review, and deploy.
What Detection Actually Requires
GeoEdge identified and blocked this campaign by analyzing not just the ad unit but the destination scanning the integrity of the landing page itself, including code structure, asset sourcing, and functional verification layers.
The fraud was engineered into the destination, invisible to any system that stops at the click. As AI continues to lower the cost of building deceptive infrastructure, detection has to go deeper. The same technology being used to clone legitimate brands is being used to defeat the defenses designed to catch them. Unless those defenses are built to look further than the creative.
GeoEdge’s security team is actively blocking the identified domains and monitoring for related campaigns. AdTech platforms and Digital Media running programmatic advertising should evaluate whether their current verification stack covers landing page integrity, not just ad-level signals.
