Grok Chatbot Exploited to Spread Scam Links

Malefactors have discovered a method to exploit Grok for posting prohibited links on X, according to Guardio Labs researcher Nati Tal.

These individuals operate 'video card' promoted posts, primarily using adult content as bait, raising questions about how these pass X's review process.

The malicious link is concealed within the tiny 'From:' field below the video player, which X does not scan for malicious content.

Tal has labeled this attack method as 'Grokking' and has informed X's administrators about the issue. Fraudsters often launch dubious video ads with adult content as bait. However, if a link is inserted into the main block of such a message, X will block the publication.

Instead, the perpetrators have learned to hide the link in the small 'From:' metadata field beneath the video card, which apparently is not scanned by the social network.

They then respond to the ad, asking Grok questions like 'where is this video from' or 'what is the link to this clip.' The chatbot parses the hidden 'From:' field and replies with the full malicious address in a clickable format.

Posts from Grok gain increased trust, enhancing the reach and reputation of the post. In some cases, the ad is viewed by millions of users.

The researcher found that many such links lead to data-stealing malware, fake CAPTCHA tests, and other dubious resources.