Fighting Search Engine Phishing: Malvertising and Bing Ads Mitch Warren November 14, 2024

Fighting Search Engine Phishing: Malvertising and Bing Ads

Search Engine Advertising Risks

When consumers search the internet, brands want to be first, or as close as they can be to it, on the search results page. Unfortunately, fraudsters do, too. The use of search engine phishing and spamdexing is on the rise.

Search engine advertising is a highly effective way to get your brand’s website in front of people. Unfortunately, it’s an effective way for fraudsters to get their scam sites in front of your audience. Like brands, scammers will purchase ads tied to specific words and phrases related to a legitimate brand. They then link their ads to a fraudulent website to steal user credentials. 

Risks with Bing

This is a popular tactic with Google’s search engine advertising.  Threat experts at Allure Security and other security organizations have recently detected this tactic in Bing PPC ads. Bing is the default search engine for Microsoft’s Edge browser. 

While it has less market share than Google Chrome or Safari, Microsoft Edge still ranks 3rd in popularity. It captures more of the internet’s user base than the following eight browsers combined.

Brands must know that fraudulent, malicious search engine advertising (or “malvertising”) does not stop with Google. Security teams must consider Bing ads for online brand impersonations.

Malvertising

Search Engine Phishing Ads Targeting Financial Institutions on Bing

Bing ads operate similarly to Google’s. Microsoft states that four factors influence an ad’s position when someone searches Bing, Yahoo or AOL:

  • your keyword bid amount
  • your competition’s keyword bid amount
  • the relevance of your ad
  • the performance of your ad

Advertisers pay for Bing ads based on the number of clicks the advertisement receives.

Scammers can outbid legitimate brands for keywords relevant to their offers. Where a brand must balance its budget between advertising, operations, sales, and other business functions, a scammer typically has fewer expenses. This can result in a brand’s legitimate advertising efforts being outpaced by well-funded scammers.

Fraudulent Bing ad detected by Allure Security that impersonates a credit union and is positioned as the first result of a search (note the seemingly irrelevant website URL displayed in the ad: “californiagamblers.com”.)

These scam advertisements often use techniques to add to their believability. Examples include using similar messaging, presenting enticing offers, and URLs similar to the brand’s. These can be combined to create a deceptively realistic scam.

MICROSOFT'S RESPONSE

Malvertising on Bing

While there is a problem, many people are unsatisfied with Microsoft’s response. A handful of users have complained that Microsoft fails to take action on fraudulent online ads

Our expert takedown team says removing Bing ads can be a hassle. After reporting a fraudulent ad, our team was assured of its removal within 48 hours following our report on the Friday after Thanksgiving. The ad wasn’t removed within 48 hours and required a follow-up message from our team for removal.

Microsoft states that “ads undergo policy checks specific to the ad type, advertiser location, and target customer location. When ads don’t pass these checks, we either stop serving the ads or suspend the advertiser’s account.” Bing states, “Microsoft AI-based algorithms are constantly sweeping all accounts and online ads to make sure misleading scam ads are removed as fast as possible.” 

While Microsoft and Bing have a proactive monitoring solution, its efficacy still needs to be questioned. When considering the volume and content of complaints, Bing often removes these ads after they have been reported multiple times. The problem is handling these reports via the provided reporting mechanisms also seems relatively slow. Due to the time taken for removal and the increased risk of victim exposure, brands cannot rely on Microsoft to safeguard them or their customers.

Our team successfully removed the fraudulent ad, but our expert highlighted that for timely and effective takedowns, it’s important to focus on the websites that these ads link to. They noted, “It’s generally more effective to target the websites.”

Strategies to Protect Your Brand on Bing: Search Engine Phishing Ads and Malvertising

While the efficacy is up in the air, Bing does have multiple reporting mechanisms in place to handle malvertising:

  • The “report a concern” page is a generic mechanism where users can report search results that they may find offensive, illegal, or harmful in any way
  • Bing’s “spam report form” is more advertisement-focused, allowing users to report low-quality ads that appear to be fraudulent, misplaced, or advertising-disallowed content
  • If your brand’s advertisements are suffering in any way on Bing, you can contact advertising support via phone call, chat, X (f.k.a.,  Twitter), or the community forums
  • To proactively locate and remove impersonation ads on Bing, reach out to online brand protection vendors who specialize in finding and removing fraudulent brand impersonations across the web
  • Report ads that infringe upon your copyrights and trademarks using the “intellectual property concern form.

Allure Security’s online brand protection service offers comprehensive solutions, including daily searches of both Google and Bing. This allows us to evaluate the top organic and paid search results to identify deceptive websites that impersonate our customers’ brands.

While this problem is not new, it’s plagued Bing for a couple of years now; some new variations are rearing their head. The problem doesn’t stop with the default search. Recently, Bing’s AI chatbot had been observed displaying fraudulent advertisements alongside responses to users’ prompts. 

Related Articles