Watch What You Click: Attackers Weaponize AI to Spread Malicious Links

Think that website link AI sent you is always safe?

Think again.

Attackers are weaponizing generative AI tools like Grok (X’s built-in generative AI) to spread malicious links that install malware on your device or send you to phishing sites designed to steal your credentials.

The attack has been nicknamed “Grokking,” but this isn’t just a Grok problem. The same technique could theoretically work on other tools, like Copilot, ChatGPT or Gemini.

Let’s discuss how the attack works and ways you can protect yourself and your organization from harm.

How Does Grokking Work?

Here’s a quick breakdown of how the attack works.

1. On the X social media platform, an attacker will embed a malicious link within a video post.
2. The attacker then replies to that post, asking Grok where the video is from.
3. Grok reads the post, finds the malicious link and shares it.

Not only is the response amplified on X for potentially millions of people to see, but the link also is amplified in SEO and domain reputation because Grok is considered a trusted source.

Essentially, that malicious link could show up higher in Google search results because Grok promoted it.

How Do I Protect Myself?

Don’t blindly trust AI.

That’s the quick and simple answer. You should always have a healthy level of skepticism when it comes to AI, just because it can make up answers that aren’t true.

Additionally, you cannot assume that any public generative AI tool hasn’t been poisoned with malicious content.

Aside from that, there are a few things you can do to ensure you don’t fall victim.

• Hover over any links a generative AI tool gives you. Check where it leads, and don’t click it if it looks suspicious.
• Use strong passwords and multifactor authentication for all accounts to reduce the risk of stolen credentials.
• Keep all of your devices and operating systems up to date to minimize vulnerability exploitation.
• Invest in security software, such as managed detection and response and phishing protection found in Microsoft 365 Business Premium.

Train Your Team to Spot AI Scams

Attackers are getting better at disguising their phishing attacks, and technology alone can’t stop these scams; awareness is just as important. Don’t wait until someone at your organization falls victim to implement phishing training.

If you’re looking to protect your company from cybersecurity threats, contact us to learn how we can help train your employees to spot the telltale signs of a scam.

Stay updated! Get tips and insights delivered to your inbox weekly by subscribing to our newsletter.