Microsoft Kills Malicious Ad Promoting Fake Google Chrome Downloads Within Edge Browser

Chrome
Last week, Microsoft unwittingly provided a gateway to malicious content via Bing ads within the Microsoft Edge web browser. A malicious ad was being served that was promoting a fake version of the Google Chrome download site.

What makes this particular incident so dangerous with the potential to affect millions of people is the fact that one of the first things that many people do when setting up a new computer is to fire up Microsoft Edge (usually for the first and last time) to download Google Chrome or another browser. Google Chrome is by far the most popular browser in the world, and Microsoft Edge has been relegated to also-ran status.

In this case, using the search term "Download Chrome" was enough to cause the ad to pop up in the Bing search results. Usually when a user enters that search term, a “real” Google ad is presented that will redirect to the official Google website where you can download the Chrome web browser. However, this malicious ad redirected users to a site that was setup to mimic the Google website.

After clicking on the link, the key tipoff that this the site wasn't legit was that the URL was www.googleonline2018.com/chrome/. The website even had a blue button where you could "Download Chrome" after which a file called ChromeSetup is downloaded from tasetofini.com (another big red flag).

Gabriel Landau, who first brought attention to the issue, posted a video (seen above) in which he walks through the steps of downloading the malicious file. In a tweet, he asked the Bing Team "Why is this still happening in 2018?".

Bing Ads responded with the following statement:

Protecting customers from malicious content is a top priority and we have removed the ads from Bing and banned the associated  account. We encourage users to continue to report this type of content  at https://bit.ly/2PZWZ1u  so we can take appropriate action.

Needless to say, Microsoft has since taken action by removing the offending ad, but Landau asked some excellent follow-up question that we too are wondering. "Did you discover how the ad was listed as http://www.google.com ?  Have any changes been made to prevent this type of attack from happening again in the future?"