Cybersecurity researchers have flagged a new technique that cybercriminals have adopted to bypass social media platform X’s malvertising protections and propagate malicious links using its artificial intelligence (AI) assistant Grok.
The findings were highlighted by Nati Tal, head of Guardio Labs, in a series of posts on X. The technique has been codenamed Grokking.
The approach is designed to get around restrictions imposed by X in Promoted Ads that allow users to only include text, images, or videos, and subsequently amplify them to a broader audience, attracting hundreds of thousands of impressions through paid promotion.
To achieve this, malvertisers have been found to run video card-promoted posts with adult content as bait, with the spurious link hidden in the “From:” metadata field below the video player by taking advantage of the fact that it’s not scanned by the social media platform.
It’s worth mentioning here that the “From:” field is typically used to indicate the original poster of the video, but has been repurposed by the scammers in this campaign to share a link instead.
In the next step, the fraudsters tag Grok in replies to the post using a throwaway account, asking something similar to “where is this video from?,” prompting the AI chatbot to visibly display the link in response.
“Adding to that, it is now amplified in SEO and domain reputation – after all, it was echoed by Grok on a post with millions of impressions,” Tal said.
“A malicious link that X explicitly prohibits in ads (and should have been blocked entirely!) suddenly appears in a post by the system-trusted Grok account, sitting under a viral promoted thread and spreading straight into millions of feeds and search results!”
Guardio said the links direct users to sketchy ad networks, sending them to malicious links that push fake CAPTCHA scams, information-stealing malware, and other suspicious content via direct link (aka smartlink) monetization.
The domains are assessed to be part of the same Traffic Distribution System (TDS), which is often used by malicious ad tech vendors to route traffic to harmful or deceptive content.
The cybersecurity company told The Hacker News it has found hundreds of accounts engaging in this behavior over the past few days, with each of them posting hundreds or even thousands of similar posts.
“They seem to be posting non-stop for several days until the account gets suspended for violating platform policies,” it added. “So there are definitely many of them and it looks very organized.”
