Microsoft Bing Chat pushes malware via bad ads

From AI to just plain aaaiiiee!

Microsoft introduced its Bing Chat AI search assistant in February and a month later began serving ads alongside it to help cover costs.

However, some of those adverts served by Microsoft's own ad platform have turned out to be malicious. Security outfit Malwarebytes said on Thursday it has identified malvertising – harmful ads – distributed via Bing Chat conversations.

"Ads can be inserted into a Bing Chat conversation in various ways," said Jérôme Segura, director of threat intelligence, in a write-up. "One of those is when a user hovers over a link and an ad is displayed first before the organic result."

These particular bad ads require user action for any harm to be done. The victim has to click on the ad, at which point their browser will be taken to another site, which could attempt to phish their login details for a more legit service, push a malware-laden download onto them, or exploit a bug to hijack their computer, or similar.

For instance, according to Malwarebytes, clicking on a deceptive link might take the Bing Chat user to a website (mynetfoldersip[.]cfd) designed to separate potential victims from bots, sandboxes, and security researchers. The website code makes that determination using the visitor's IP address, time zone, and system settings that identify when virtual machines are being used.

Those deemed to be valid targets get redirected to a typo-differentiated fake website (advenced-ip-scanner[.]com), designed to resemble the legitimate one (advanced-ip-scanner[.]com), where they're invited to download and run a malicious installer.

According to Segura, the malicious Bing Chat ads followed from someone compromising the ad account of a legitimate Australian business and creating two malicious ads, one aimed at duping network admins interested in an Advanced IP Scanner utility and one targeting lawyers interested in case-management code biz MyCase.

"The malicious ads were served via the Microsoft advertising platform from legitimate but compromised ad accounts," said Segura in an email to The Register. "Bing Chat contains ads as part of the user experience, similar to those you see via a traditional Bing search."

A Microsoft spokesperson told The Register, "Our content policies prohibit advertising content that is deceptive, fraudulent or that can be harmful to users. We can confirm that this content has been removed and that the advertiser was blocked from our networks as part of our detection scan process.

"We are continuing to monitor our ad network for similar accounts and will take action as needed to help keep customers protected. We will continue to apply this feedback into our detection mechanisms to improve our ability to detect and remove similar ads in the future."

MyCase said the company is aware of the Malwarebytes report.

"We're aware of the situation involving a malicious ad domain that appears to be impersonating MyCase," said Jason Nichols, VP and head of information security, in an email to The Register.

"To clarify, this domain has no affiliation with us, and we are actively working to get it taken down. We have no reason to believe this incident has compromised our data, systems, or impacted our customers in any way."

Malicious ads come in many different forms. As noted by Confiant, another security firm that focuses on bad ads, malvertising runs the gamut from simple disruptive behavior (eg: quality violations like popups) to full-on ad fraud (eg: stacking invisible pixels that get billed as dozens of ads) to redirection-based scams to convince people to download exploit code.

In 2022, according to Confiant's most recent Malvertising and Ad Quality Index [PDF], an average of 0.21 percent of the ads delivered across all server-side ad platforms contained security violations. On Google's ad exchange, the security violation rate was 0.48 percent, which by one measure is close to the average click-through rate.

Google alone is estimated to serve 30 billion ad impressions daily, which suggests more than 100 million ads that violate security norms come from the Chocolate Factory every day.

"Malvertising has been one of the top web delivery vectors for malware and scams regardless of a user's operating system or geolocation for years," Segura told The Register. "Unlike other threats such as spam, it is difficult to track and report it. There are a number of different threat actors in this space ranging from amateur to professional.

Malvertising has been one of the top web delivery vectors for malware and scams regardless of a user's operating system or geolocation for years

"At the low end, we see repeat offenders that keep coming back using more or less the same techniques that in part take advantage of certain policies related to ad platforms. For example, it is fairly easy to forge an identity and use certain tools to evade detection from automated tools."

Those who are more skilled and target specific types of users tend to be more difficult to detect and stop, Segura added.

Back in 2015, when Internet Explorer, Flash, and Java were still widely used on the web, he explained, it was common to see exploit kits that targeted software vulnerabilities. But that's rare these days.

"In the past few years there have been a number of zero-day exploits for Google Chrome that have been weaponized thanks to malvertising, but those attacks have been very targeted, and the vulnerabilities patched quickly," said Segura. "We have yet to see a malvertising attack that goes for mainstream users via a zero-day."

According to a recent report from Haaretz in Israel, several Israeli firms have developed Pegasus-style surveillance software for nation-states and intelligence agencies that use ads for offensive purposes, like monitoring high-value targets and injecting malware onto devices.

Segura, however, suggests a relatively small set of people get targeted with these tools.

"Certain individuals such as journalists can be targeted directly via SMS-style attacks with a zero-click exploit," he said.

"When that is not possible, threat actors can use ad platforms to narrow down their target thanks to a number of profiling features. However, it is probably easier to compromise certain websites that are known to be visited by targets or have them click on a phishing link." ®

More about


Send us news

Other stories you might like