Microsoft’s Bing Chat, introduced in February, has been a beacon for users seeking a seamless search experience. However, it seems the platform is grappling with a significant issue – the presence of malicious ads or ‘malvertising’.
This development is alarming, considering Bing Chat’s growing user base and Microsoft’s reputation.
Bing Chat, in its quest to offer enriched user experiences, began featuring ads to offset operational costs. Unfortunately, this initiative has been marred by the infiltration of harmful ads, as identified by security firm Malwarebytes.
These ads, served by Microsoft’s advertising platform, have been found to be deceptive and potentially harmful, requiring user interaction to inflict damage.
When users click these ads, they are redirected to sites that could phish their login details, push malware-laden downloads, or exploit vulnerabilities to hijack their computers.
The Mechanism of Harmful Ads
The harmful ads infiltrate Bing Chat conversations in subtle ways. For instance, when a user hovers over a link, an ad is displayed before the organic result. Jerome Segura, Director of Threat Intelligence at Malwarebytes, highlighted that these ads necessitate user action to cause harm.
In response to these findings, a spokesperson from Microsoft stated that the content violating their policies has been removed, and the advertiser responsible has been blocked from their networks.
Clicking on deceptive links redirects users to sites designed to differentiate between potential victims and security researchers, using visitors’ IP addresses, time zones, and system settings. Legitimate users are then redirected to fake websites, where they are prompted to download malicious installers.
Microsoft is actively monitoring its ad network for similar content and is committed to taking necessary action to protect customers. Microsoft continues to refine its detection mechanisms to identify and remove such ads in the future, ensuring user safety and maintaining trust.
One example of such malvertising involved a fake domain impersonating the case-management code business, MyCase. Jason Nichols, VP and Head of Information Security at MyCase, clarified that the domain has no affiliation with them, and they are working to have it taken down. He assured that there is no indication of any compromise to their data or systems or any impact on their customers.
The Impact and Future Implications
The presence of malicious ads on Bing Chat is concerning, given the platform’s integration of advertisements in conversations and responses to user queries. Users are inadvertently exposed to sponsored links that can lead to phishing sites, offering malicious apps for download.
In one instance, a seemingly harmless query for a network management program led users to a counterfeit website, offering a malicious installer for download.
This situation underscores the importance of stringent ad vetting by Microsoft to safeguard user interests and maintain platform integrity. Malwarebytes has reported its findings to Microsoft. The discovery of malicious ads on Bing Chat is a stark reminder of the constant need for vigilance in the digital realm.
It emphasizes the importance of user caution and the responsibility of tech companies to ensure the security and integrity of their platforms. As Microsoft navigates through this challenge, the resolution of this issue will be crucial in maintaining user trust and the overall success of Bing Chat.