Bing Ads & Malvertising: Fighting Search Engine Phishing Ads

When consumers search the internet, brands want to be first, or as close as they can be to it, on the search results page. Unfortunately, fraudsters do too.

Search engine advertising is an extremely effective way to get your brand’s website in front of people. Unfortunately, it’s an extremely effective way for fraudsters to get their scam sites in front of your audience too. Just as brands do, scammers will purchase ads tied to specific words and phrases related to a legitimate brand, while linking their ads to a fraudulent website designed to steal user credentials, or worse. 

This is known to be a popular tactic with Google’s search engine advertising, however this problem reaches farther than just Google. Recently, threat experts at Allure Security and other security organizations have detected this tactic in use with Bing PPC ads, Bing being the default search engine for Microsoft’s Edge browser. 

While it has less market share than Google Chrome or Safari, Microsoft Edge still ranks 3rd in popularity and captures more of the internet’s user base than the next 8 browsers combined.

Brands need to be aware that fraudulent, malicious search engine advertising (otherwise known as “malvertising”) does not stop with Google. Security teams need to consider Bing ads as yet another attack vector for online brand impersonations.

Phishing Ads Targeting Financial Institutions on Bing

Bing ads operate similarly to Google’s. Microsoft states that four factors influence an ad’s position when someone does a search on Bing, Yahoo or AOL; your keyword bid amount, your competition’s keyword bid amount, the relevance of your ad, and the performance of your ad. Bing ads are paid for on a per-click basis, meaning the advertiser pays based on how many people click the advertisement. 

That means it’s possible for scammers to out-bid legitimate brands for keywords relevant to their offers. Where a brand must balance their budget between advertising, operations, sales, and other business functions; a scammer typically has fewer expenses. This can result in a brand’s legitimate advertising efforts being swiftly outpaced by well-funded scammers.

These scam advertisements often use techniques to add to their believability including using similar messaging, presenting enticing offers, and sometimes using URLs similar to the real brand’s. These can be combined to create a deceptively realistic scam.

While this problem is not new, it’s plagued Bing for a couple of years now, some new variations are rearing their head. The problem doesn’t stop with default search. Recently, Bing’s AI chatbot had been observed displaying fraudulent advertisements alongside responses to users’ prompts. 

Microsoft’s Response: Tackling Malvertising on Bing

While there clearly is a problem, many people are unsatisfied with Microsoft’s response.. A handful of users have complained that Microsoft fails to take action on fraudulent online ads. 

According to our expert takedown team, removing Bing ads can be a bit of a hassle. When recently ensuring the removal of a fraudulent ad, our team reported it on the Friday after Thanksgiving and were promised a 48 hour turnaround time. The ad wasn’t removed within 48 hours and required a follow-up message from our team for removal.

Microsoft states that “ads undergo policy checks specific to the ad type, advertiser location, and target customer location. When ads don’t pass these checks, we either stop serving the ads or suspend the advertiser’s account.” Bing states that “Microsoft AI-based algorithms are constantly sweeping all accounts and online ads to make sure misleading scam ads are removed as fast as possible” 

While Microsoft and Bing do have a proactive monitoring solution in place, it’s efficacy remains in question. When considering the volume and verbiage of complaints, it seems that Bing often removes these ads after they have been reported, multiple times. Problem is, the handling of these reports via the provided reporting mechanisms also seem rather slow. Considering time to removal and the related expansion of potential victim exposure as a result, brands can’t count on Microsoft to protect them or their customers. 

While our team successfully removed the fraudulent ad, our expert emphasized that for timely and effective takedowns, the focus is usually on targeting the websites that these fraudulent ads direct to noting “usually it’s most effective going after the websites.”

Effective Strategies to Protect Your Brand Against Malicious Ads on Bing

While the efficacy is up in the air, Bing does have multiple reporting mechanisms in place to handle malvertising:

• The “report a concern” page is generic mechanism where users can report search results that one may find offensive, illegal, or harmful in any way
• Bing’s “spam report form” is more advertisement focused, allowing users to report low quality ads that appear to be fraudulent, misplaced, or advertising disallowed content
• If your brand’s advertisements are suffering in any way on Bing, you can contact advertising support via phone call, chat, X (f.k.a.,  Twitter), or the community forums
• To proactively locate and remove impersonation ads on Bing, reach out to online brand protection vendors who specialize in locating and removing fraudulent brand impersonations across the web
• Report ads that infringe upon your copyrights and trademarks using the “intellectual property concern form“

For example, Allure Security’s online brand protection-as-a-service includes, but is not limited to, daily searching of both Google and Bing search engines to evaluate top organic and paid search results in order to identify deceptive websites impersonating our customers’ brands.

WHAT YOU SHOULD DO NEXT

1. Contact us right now if you’re bedeviled by scammers impersonating your brand within the Microsoft Ads system and/or want to get ahead of the issue.
2. Read up on how fraudulent Google Ads are impersonating trusted brands like yours on our blog.
3. Get free actionable advice for handling parked domains impersonating your brand on our blog.