Cybersecurity researchers have recently identified a sophisticated new method, dubbed “Grokking,” that cybercriminals are employing to circumvent the malvertising protections on the social media platform X. This technique, highlighted by Nati Tal of Guardio Labs, exploits the platform’s artificial intelligence assistant, Grok, to propagate malicious links. The core of this approach is to get around the strict content restrictions for Promoted Ads, which typically disallow the inclusion of direct links. Instead of embedding the link directly, malicious actors hide it within a video’s metadata, a field that is apparently not subject to the platform’s standard scanning processes.
The “Grokking” process begins with cybercriminals running promoted video ads, often using adult content as a lure to attract attention. The malicious link is concealed within the video’s “From:” metadata field, which is displayed below the video player. This is a crucial step, as this specific field seems to be a blind spot for X’s automated scanning systems. Once the post is live and amplified through paid promotion, the threat actors then tag Grok in a reply to the post, asking a question such as “where is this video from?”. This prompt tricks the AI chatbot into responding by displaying the hidden link, effectively making the malicious URL visible to a broad audience.
This method is highly effective because it leverages the trust associated with a system-trusted account like Grok. The AI’s response, which includes the malicious link, is then amplified through the viral promoted thread, spreading to millions of feeds and search results. As Nati Tal noted, a link that X’s advertising policies explicitly prohibit suddenly appears in a post from a trusted source, gaining an unprecedented level of exposure and credibility. This amplification is further bolstered by search engine optimization (SEO) and domain reputation benefits, as the link is now associated with a post that has garnered millions of impressions.
The links disseminated through this technique direct users to a variety of harmful content, including fake CAPTCHA scams, information-stealing malware, and other deceptive schemes. Guardio Labs found that these domains are part of a larger Traffic Distribution System (TDS), a network often used by malicious ad tech vendors to route traffic to dangerous or fraudulent content. The use of smartlinks further personalizes the malicious content delivered to each user. The cybersecurity firm has observed hundreds of accounts engaging in this organized behavior, with each account posting a massive number of similar posts until they are eventually suspended for violating platform policies.
The organized nature and rapid proliferation of this “Grokking” technique pose a significant threat to X users. The method demonstrates a creative and alarming new way for cybercriminals to exploit platform features and bypass security measures. By leveraging X’s own AI assistant, malicious actors are able to lend legitimacy to their links and achieve a level of reach that would be impossible through traditional malvertising. The findings underscore the need for social media platforms to constantly adapt their security protocols to stay ahead of sophisticated and evolving cyber threats.
Reference: