Malicious files disguised as Google Chrome are appearing in Bing search results, and it’s not even the first time this has happened.
Search Engines Vetting Failures
Google is currently losing their minds! Why? Bing has allowed a malicious link to display that is serving up malware instead of a legitimate download for Google Chrome. But, to be fair, Google is just as guilty…
Here’s the story:
Last April, Bing was found displaying a fraudulent advertisement when users would search for “Google Chrome download”. Instead of directing users to a legitimate download site, it would send them to a fake site full of malware. Bad right? We agree. This ad had since been removed. However, a replacement has now hit Bing’s search engine. Users are rightfully upset because search engines should be doing their due diligence to ensure the ads they’re serving up to users are legitimate. But they’re not.
Google is particularly upset because it is a fake ad for Google Chrome. Again, we get it. But Google also has a history of failing at properly vetting their paid advertisements. We cannot even begin to tell you how many times we’ve had to file DMCA notices for fraudulent PC Matic support websites that Google promotes as paid ads. Even after the pages have been taken down, Google will still display them in search results.
So, before Google gets too upset with Bing, perhaps they should look at their vetting processes as well.
We all like to think that we’re tech-savvy enough to avoid getting scammed by fake websites, but apparently it’s all-too terrifyingly easy for malware to slip through the cracks. Recently, it was discovered that Bing had been promoting a link to a phishing website to users searching for a Google Chrome download link.
Searching for “download chrome” yielded an ad as the top result, which led to “www.google.com.” This link took him took him to googleonline2018.com, a scam website designed to look similar to the real thing. When I tried visiting this website using Chrome, it blocked it as a deceptive site. However, as people like Landau found out, Bing had let this scam through to the front page, despite the fake URL.
While the malicious ad didn’t appear in every search, several other Twitter users were able to recreate this issue, but only by using the Edge browser. Both Firefox and Chrome were able to recognize the website as a scam.
Landau was able to identify the downloaded file as malware by inspecting its digital signature, and found that the installer was not made by Google, but by Alpha Criteria Ltd., a known distributor of malware.
This whole thing sounds oddly conspiratorial. Microsoft responded by removing the ad, but since this isn’t the first time this ad has popped up on Bing, we can’t guarantee that the issue is permanently solved. The company reached out to Landau on Twitter, encouraging him and others to report suspicious ads to their website. So far, there has been no word as to whether or not Microsoft is making any attempts to prevent these attacks in the future.
Avoiding Malicious Ads
As far as avoiding these malicious ads — users need to simply do their own due diligence, and not rely on the search engines to do it for them. Here are a few key tips for search engine best practices:
- Ensure the destination URL is going to a legitimate website — not a copy-cat or third-party site.
- Look at more than the first search result
- This isn’t foolproof, but it helps — be sure the landing page is secure by confirming it is prefaced with https:// instead of http://
- If you know the direct landing page URL, you don’t need to search for it — this only increases the odds you’ll click on something malicious. Instead simply type in URL in the browser’s address bar.