Grok AI Exploited in New ‘Grokking’ malvertising Scheme on X

A novel cybersecurity threat, dubbed “Grokking,” is leveraging X’s own artificial intelligence, Grok, to distribute malicious links hidden within promoted advertisements, putting unsuspecting users at risk.

The social media platform, formerly known as Twitter, has generally been effective at blocking malware-laden ads. However, this new exploit circumvents those protections by exploiting a loophole in how X handles ad metadata and user interaction with its AI chatbot.

How ‘Grokking’ Works

Malvertisers are crafting promoted ads – typically videos – that adhere to X’s advertising guidelines. While links are permitted in ads, they require X’s approval. The “grokking” technique bypasses this scrutiny by inserting malicious links into the “From” field of the ad’s metadata. When a user asks Grok about the video’s origin, Grok, in its response, will provide the link from the “From” field, effectively delivering the malicious link to the user.

“When one gets banned, more pop up, so its not a threat that’ll magically disappear.”

Recognizing the threat

Currently, a significant portion of these malicious video ads feature adult content, likely to attract clicks. However, the presence of adult content doesn’t automatically indicate a threat; caution should be exercised with all promoted ads.

Security researcher Nati Tal has documented the technique in a thread on X.

Key Indicators of a ‘Grokking’ Attack:

• Suspicious Grok Responses: If Grok responds to a query about a video’s origin with a link,rather than a user account or brand name,it’s a major red flag. A legitimate response to a question about where to purchase a product, for example, would direct users to the brand’s official homepage.
• Adult Content: While not definitive, a higher concentration of these malicious ads currently feature adult content.
• Too Good to Be True: Ads promising access to restricted content – such as adult material without age verification – are notably suspect.Many US states and countries now require age identification for access to such sites, creating a demand for bypasses that malicious actors are exploiting.

Protecting Yourself from ‘Grokking’

Fortunately, simply clicking the link is required for a successful attack; merely viewing the ad does not expose users to malware. Several preventative measures can substantially reduce your risk:

• Avoid Interaction: The most effective defense is to simply scroll past promoted ads.
• Verify Links: if you’re curious about an ad, refrain from clicking the link provided by Grok. Instead, search for the brand name within the link using a search engine to locate the official website. Be aware that vulnerabilities also exist in AI overviews, so scroll down to the standard search results for added safety.
• Scan with VirusTotal: Before clicking any link, run it through VirusTotal, a free online service that analyzes files and URLs against multiple antivirus engines.
• Consider X Premium+: An X Premium+ subscription ($40/month) offers an ad-free experience, eliminating the risk of encountering “Grokking” ads.
• Mobile Workaround: Users can access X as a mobile website to bypass ads, though some promoted posts may still appear.

Even if you choose to continue using X with ads enabled, remaining vigilant and researching any links before clicking them is crucial.

.

ultimately, awareness and caution are your best defenses against this evolving threat. Even if you prefer to keep X the way it is, ads and all, you don’t have to be a victim to this new type of attack. Just avoid interacting with ads and research any links before you click them.