Malicious ads in a chatbot.
N2K logoSep 29, 2023

A chatbot is found to be serving malicious advertising.

Malicious ads in a chatbot.

Researchers at Malwarebytes warn that Microsoft’s AI chatbot Bing Chat can be abused to serve malicious ads. When the tool is used to search for a service, it may offer sponsored results similar to those seen at the top of a regular search engine query. In this case, Malwarebytes says “the malicious actor hacked into the ad account of a legitimate Australian business and created two malicious ads, one targeting network admins (Advanced IP Scanner) and another lawyers (MyCase law manager).” The links led to spoofed websites designed to trick users into downloading malware.

Malvertising updated to take advantage of AI.

Roger Grimes data-driven defense evangelist at KnowBe4, commented on this evolution in criminal technology. “Malicious ads have been a problem for decades. This is just a current example of them being used in AI-related tools. Malicious ads, and the legitimacy they have with many viewers, does make them ripe for exploitation. That's why all users must be trained to understand that Internet ads simply cannot be trusted. They need to understand the concept of malicious poisoned ads, how to recognize them, and be told to make sure they don't click on them. Until content filtering tools are better at detecting and preventing them, education is really the only way to fight them. Of course, we need Microsoft and other vendors to do more to prevent malicious ads. They've been around for decades. There have to be better ways to prevent them. It's a travesty that we are still dealing with them decades later and that they are invading our newest platforms.”

A confidence game, at scale.

(Added, 11:30 PM ET, September 30th, 2023.) Emily Phelps, Director, Cyware, sees the malvertising as an instance of the exploitation of the tendency to trust the familiar, in this case search engines. “With advancing technologies and a rapidly evolving digital landscape, threat actors are able to exploit human trust in established entities at scale,” she said, automating enabling swindling on a large scale. 

She added, “Addressing these risks requires more than awareness training and traditional security controls. End users must understand the risks and proceed with caution, but platforms must also bolster their security posture to adapt to these threats. It's critical to employ continuous and rigorous testing to ensure they remain a step ahead of potential online adversaries.”