Hackers Leverage X’s Grok AI To Amplify Malicious Links Via Promoted Posts

Cybersecurity

A new cyber-attack method, identified as “Grokking,” is leveraging features of the social media platform X to distribute malicious links extensively.

Attackers are exploiting the platform’s advertising system and its generative AI, Grok, to circumvent security measures and propagate harmful domains. This strategy involves using X’s tools in a malvertising operation.

According to GuardioSecurity researcher Nati Tal, the attack initiates with malware promoting posts labeled as “video card,” which often employ explicit or sensational content to attract users.

Although X’s policies aim to restrict malvertising by prohibiting links in promoted content, attackers have discovered a significant loophole.

The malicious link is embedded not in the main content but in the “From:” field beneath the video player, which X’s automated security scans appear to overlook. Consequently, posts can achieve between 100,000 and over 5 million paid impressions.

The second phase of the attack uses the platform’s AI assistant, Grok. Users, intrigued by the often anonymous videos, frequently consult Grok for the source.

In its response, Grok scans the post and retrieves the domain name from the “From:” field, presenting the malicious link directly to the user. For example, when queried about a video’s origin, Grok has been observed providing links to suspicious domains.

This method effectively circulates the malicious link, enhancing its visibility and perceived legitimacy. By having the AI reference the domain, scammers may gain improved SEO and a bolstered reputation for their malicious sites, misleading users into trusting them.