Cybersecurity experts have identified a new method that cybercriminals are using to evade the malvertising safeguards of a popular social media platform and disseminate harmful links through its AI assistant Grok.
The discovery was shared by Nati Tal, the head of Guardio Labs, in a series of posts on the platform. This technique has been named Grokking.
This strategy aims to circumvent the restrictions imposed by the platform on Promoted Ads, which only allow users to include text, images, or videos, and then promote them to a wider audience, garnering hundreds of thousands of impressions through paid promotions.
To accomplish this, malicious advertisers are running video card-promoted posts with adult content as a lure, concealing the fraudulent link in the “From:” metadata field below the video player, which apparently goes unnoticed by the platform.
In the next step, the scammers tag Grok in replies to the post, asking a question like “where is this video from?,” prompting the AI chatbot to reveal the link in response.
“Moreover, it now gains traction in SEO and domain reputation – as it was echoed by Grok in a post with millions of impressions,” Tal explained.
A prohibited link that the platform explicitly bans in ads (and should have been completely blocked!) suddenly emerges in a post from the trusted Grok account, nestled within a viral promoted thread, spreading to millions of feeds and search results!
Guardio revealed that these links lead users to dubious ad networks, redirecting them to malicious sites that promote fake CAPTCHA scams, malware that steals information, and other questionable content through direct link monetization.
These domains are believed to be part of the same Traffic Distribution System (TDS), often utilized by malicious ad tech providers to direct traffic to harmful or deceptive content.
The cybersecurity firm informed The Hacker News that it has identified hundreds of accounts engaging in this activity in recent days, with each one posting hundreds or even thousands of similar posts.
“They appear to be posting continuously for several days until the account is suspended for violating platform policies,” they added. “It appears to be a highly organized effort.”
