Cybersecurity researchers flagged a new technique that cybercriminals use to bypass social media platform X’s malvertising protections and spread malicious links through its artificial intelligence (AI) assistant Grok.
The findings came from Nati Tal, head of Guardio Labs, who detailed them in a series of posts on X. He codenamed the technique Grokking.
Furthermore, the approach helps attackers get around restrictions imposed by X in Promoted Ads, which only allow users to include text, images, or videos. After that, they amplify the content to a broader audience, drawing hundreds of thousands of impressions through paid promotion.
To achieve this, malvertisers run video card–promoted posts with adult content as bait. They then hide the spurious link in the “From:” metadata field below the video player, a location that X apparently does not scan.
Next, the fraudsters tag Grok in replies to the post, asking something like “where is this video from?,” which prompts the AI chatbot to visibly display the link in its response.
“Adding to that, it is now amplified in SEO and domain reputation – after all, it was echoed by Grok on a post with millions of impressions,” Tal said.
“A malicious link that X explicitly prohibits in ads (and should have been blocked entirely!) suddenly appears in a post by the system-trusted Grok account, sitting under a viral promoted thread and spreading straight into millions of feeds and search results!”
Guardio explained that the links direct users to sketchy ad networks, which then send them to malicious destinations pushing fake CAPTCHA scams, information-stealing malware, and other suspicious content through direct link (aka smartlink) monetization.
In addition, the domains belong to the same Traffic Distribution System (TDS), a tool often used by malicious ad tech vendors to funnel traffic toward harmful or deceptive content.
The cybersecurity company told The Hacker News it has discovered hundreds of accounts engaging in this behavior over the past few days, with each account posting hundreds or even thousands of similar posts.
“They seem to be posting non-stop for several days until the account gets suspended for violating platform policies,” it added. “So there are definitely many of them and it looks very organized.”
Source: TheHackerNews
Read more at Impreza News
