Malwarebytes has uncovered a concerning issue involving malicious advertisements within Microsoft Bing’s AI chatbot, which have been exploited to distribute malware when users search for popular software tools.
These findings are related to Bing Chat, an interactive search feature introduced by Microsoft in February 2023, powered by the OpenAI language model GPT-4. Just a month later, Microsoft began exploring the integration of ads into these chat conversations.
Unfortunately, this move has opened the door for malicious actors who are employing malvertising tactics to spread malware.
Malwarebytes provided an example in which a Bing Chat query for downloading legitimate software called Advanced IP Scanner produced a link that, when hovered over, revealed a malicious ad directing users to a fraudulent link instead of the official site hosting the tool.
Clicking on this link redirects users to a traffic direction system (TDS) that verifies whether the request originates from a genuine human or another source, before leading them to a deceptive page containing the rogue installer.
The installer is configured to execute a Visual Basic Script that contacts an external server, presumably to obtain the next-stage payload. The precise nature of the delivered malware remains unknown.
An interesting aspect of this campaign is that the threat actor gained access to the ad account of a legitimate Australian business and created these deceptive ads.
This discovery comes as Akamai and Perception Point have identified a multi-step campaign targeting hotels, booking sites, and travel agencies with information-stealing malware. Attackers compromise systems, then exploit the access to target customers’ financial data via fake reservation pages.
This attack deploys stealer malware like Lumma Stealer, RedLine Stealer, Stealc, Spidey Bot, and Vidar, using lures related to booking requests, reservation changes, and special requests.
Additionally, attackers have employed a technique known as ZeroFont, where parts of the message are written in a font with zero-pixel size to deceive security checks in emails. This technique manipulates message previews on Microsoft Outlook, making it appear that the email has passed security checks.
These findings underscore the evolving tactics of threat actors, highlighting the importance of cautious clicking, skepticism towards urgent or threatening messages, and vigilance in inspecting URLs for signs of deception among users.