Threat actors are using Grok, X's built-in AI assistant, to bypass link posting restrictions that the platform introduced to reduce malicious advertising.
As discovered by Guardio Labs' researcher Nati Tal, mavertisers often run sketchy video ads containing adult content baits and avoid including a link to the main body to avoid being blocked by X.
Instead, they hide it in the small "From:" metadata field under the video card, which apparently isn't scanned by the social media platform for malicious links.
Hiding the malicious link in an ignored field
Source: @bananahacks
Next, (likely) the same actors ask Grok via a reply to the ad something about the post, like "where is this video from," or "what is the link to this video."
Grok parses the hidden "From:" field and replies with the full malicious link in clickable format, allowing users to click it and go straight to the malicious site.
Replies triggering a Grok response
Source: @bananahacks:
Because Grok is automatically a trusted system account on the X platform, its post boosts the link's credibility, reach, SEO, and reputation, increasing the likelihood that it will be broadcast to a large number of users.
... continue reading