You launch Edge on your new PC, search for “download Chrome,” and click the first result headed to “google.com” on Bing. You’re now on a phishing website pushing malware, disguised to look like the Chrome download page.
That’s the story Gabriel Landau tells on Twitter:
— Gabriel Landau (@GabrielLandau) October 25, 2018
We were able to reproduce this problem, although it doesn’t happen every time. Usually, you’ll end up seeing an ad for “https://www.google.com”. That goes to the real Chrome download page, and everything is fine.
But, sometimes, you’ll see an ad for “google.com”. Guess what—that doesn’t actually go to Google.com. This ad was created by a scammer and goes elsewhere.
Microsoft is apparently not verifying the web address the advertisement actually goes to. Bing is letting this advertisement lie people.
If you click the link, you’ll be taken to a Google Chrome download page that looks like the real one. But it didn’t take you to Google.com. It takes you to “googleonline2018.com”, a scam website.
We didn’t actually download Chrome from here, of course. But we’re certain that this website is pushing malware or something malicious.
Chrome actually blocks this site as “deceptive,” but Bing and Edge don’t.
It’s worth noting that we could reproduce this on some systems, but not others. The advertisement may be targeted geographically. We could also only reproduce this in Microsoft Edge.
If you’d like to try it yourself, head to this search address in Microsoft Edge and refresh a few times.
This is crazy. Scammy advertisements pop up everywhere now and then, but they always have a nasty-looking URL that acts as a giveaway. Bing isn’t even checking the URL here.
Update: It’s even worse than we thought. Bleeping Computer reported almost the exact same advertisement in April, over six months ago. Microsoft removed the ad at the time, but it’s now back in a nearly identical form. Bing is still letting this advertisement lie about going to “google.com”, too. Thanks to @killyourfm on Twitter for noticing this.
I also found Reddit users complaining about a different malware package 21 days ago, but same method of delivery. That’s at the very least 3 occasions in the last 6 months, all using fake Google Chrome ads on Bing.
— Jason Evangelho (@killyourfm) October 27, 2018
Update: Microsoft has now removed the ad. Here’s what a Microsoft spokesperson told us:
Protecting customers from malicious content is a top priority, and we have removed the ads from Bing and banned the associated account. We encourage users to continue to report this type of content so we can take appropriate action.
However, Microsoft has not explained how the ad was marked as from “google.com”, nor have it said if the underlying issue was properly fixed. Without a real fix that prevents advertisers from lying, this problem will just pop up again in the near future.
Bing already has problems with horrifying search suggestions, so this is yet another problem on the pile. Microsoft really needs to clean Bing up.
Cludo Custom Site Search