Earlier this year, Microsoft announced the Bing AI Chat which offered users an intuitive way of interacting with the Bing search engine. Since launch Bing AI has received several updates to improve the experience as well as bring new features.
However, it looks like Microsoft's new chatbot is not perfect. According to a report published by Malwarebytes, Bing's AI is serving malicious ads to the users. While, everyone had expected Microsoft to inject ads into the Bing AI, currently the company is allowing bad actors to push malicious websites to unsuspecting users.
Bing AI currently adds hyperlinks to text when responding to user queries and some times, these hyperlinks are sponsored ads. However, when Malwarebytes asked Bing AI how to download Advanced IP Scanner, it gave a hyperlink to a malicious website instead of the official website.
While, Microsoft does put a small ad label next to the link, it is easy to overlook and an unsuspecting user will not think twice before clicking the link and downloading a file that could very well damage their system.
In this instance, the ad opened a fake URL that filtered traffic and took the real users to a fake website that mimics the official Advanced IP Scanner website. Once some one runs the executable installer, the script tries to connect to an external IP address.
Unfortunately, Malwarebytes did not find the final intention or the payload but it could have easily being a spyware or a ransomware.
Upon clicking the first link, users are taken to a website (mynetfoldersip[.]cfd) whose purpose is to filter traffic and separate real victims from bots, sandboxes, or security researchers. It does that by checking your IP address, time zone, and various other system settings such as web rendering that identifies virtual machines.
Real humans are redirected to a fake site (advenced-ip-scanner[.]com) that mimics the official one while others are sent to a decoy page. The next step is for victims to download the supposed installer and run it.
While, this was one instance, there is a good chance that any one can take advantage of this by creating a Microsoft ad account and running a marketing campaign. From the looks of it, Microsoft is not really checking the campaigns once they are submitted to ensure they follow the guidelines and do not target users.