Microsoft has axed a Bing search result advert that masqueraded as a legit online banking website – but was in fact a sophisticated phishing operation.
Searching for "TSB" – as in the UK's TSB Bank – on the Great Britain edition of Bing would bring up, right at the top of the page, a search ad for a phishing website described as "TSB – Welcome to TSB UK – Online Personal Account". Clicking on the link would direct marks to a phishing page pretending to be the bank's login portal, we're told.
Reg reader Simon Halsey told us he tried to report the fraudulent ad to Microsoft, and to TSB, yet the advert remained on search result pages. So he turned to us, we prodded Redmond, and over the weekend, the ad and the account that created it were black holed. Hooray.
The Redmond software giant confirmed Monday morning, US Pacific Time, it had pulled the ad. "Following the recent alert of a phishing scam, targeting customers of TSB with the use of a fraudulent website, we can confirm Microsoft has shut down the account responsible," Microsoft said.
"We will continue to monitor the situation for any further activity."
Because it was a legitimate ad purchased on Bing, the link would appear as the top result ahead of the actual TSB page. What's worse, the phishing site used a typo-squatting URL, and a valid SSL certificate to make the forgery appear even more authentic.
Bing before the weekend with the dodgy 'persqnal' TSB bank ad
Bing after the weekend with the malicious ad gone, and the real bank as the top search hit
"We’ve tried reporting it, but Bing makes it almost impossible to do," our tipster told us.
"One of my colleagues typed 'TSB' into Internet Explorer causing a search on Bing. She nearly entered her details [into the phishing website]. The advert on the site is one of the most realistic scam sites I’ve seen, with a proper co.uk domain, an actual SSL cert, and even a mobile site."
While El Reg gets the assist in this case, Redmond said it encourages anyone who suspects a phishing site showing up on their Bing results to report the issue to them directly:
We understand that scamming is deeply worrying for consumers and ensure we provide all necessary support if they see something of concern. If anyone witnesses any suspicious activity, we encourage them to inform us at: https://advertise.bingads.microsoft.com/en-us/resources/policies/report-spam-form. When completing, it is important that 'phishing' is selected in the form menu, to ensure the issue is brought to our attention promptly, so appropriate actions can be taken.
Once you have reported a dodgy banner ad to Microsoft, it wouldn't hurt to kick a note over to email@example.com just in case the complaint gets stuck in a queue somewhere. ®