"Instead, they hide it in the small "From:" metadata field under the video card, which apparently isn't scanned by the social media platform for malicious links. Next, (likely) the same actors ask Grok via a reply to the ad something about the post, like "where is this video from," or "what is the link to this video." Grok parses the hidden "From:" field and replies with the full malicious link in clickable format, allowing users to click it and go straight to the malicious site."
"Because Grok is automatically a trusted system account on the X platform, its post boosts the link's credibility, reach, SEO, and reputation, increasing the likelihood that it will be broadcast to a large number of users. The researcher has found that many of these links funnel through shady ad networks, leading to scams such as fake CAPTCHA tests, information-stealing malware, and other malicious payloads."
Threat actors hide malicious links in the small "From:" metadata field under video cards on X to evade link scanning and posting restrictions. They run sketchy video ads with adult-content bait and omit visible links, then prompt Grok via replies asking for the video's source or link. Grok parses the hidden "From:" field and returns the full clickable URL, which users can follow to scam pages. Grok's trusted system account status boosts the link's credibility, reach, SEO, and distribution. Many links funnel through shady ad networks and lead to fake CAPTCHA tests, information-stealing malware, and other malicious payloads. Mitigations include scanning all fields, blocking hidden links, and adding context sanitization to Grok.
Read at BleepingComputer
Unable to calculate read time
Collection
[
|
...
]