For many people who purchase a new Windows 10 PC, Microsoft’s built-in Edge browser has one purpose: to download an alternate browser like Google Chrome. The most common way to do this for people who don’t have the URL memorized? Type “download Chrome” in the address bar and click the first result provided by Bing search. Unfortunately those unsuspecting users have a high chance of downloading malware and adware. That’s because Bing has been serving up malicious but highly visible Google Chrome ads for months .
This weekend, Twitter user Gabriel Landau enjoyed his first few hours with a Windows 10 laptop by doing this exact thing (video in Twitter link). The top result for his “download chrome” search via Edge looked ordinary enough. Except that when he clicked it the resulting domain was “GoogleOnline2018.com.” The fake site isn’t an exact copy of Google’s own Chrome landing page, but looks genuine enough to fool people. The download itself is called “ChromeSetup.exe,” but examining the digital signature reveals “Alpha Criteria Ltd.” That’s definitely not Google.
— Gabriel Landau (@GabrielLandau) October 25, 2018
Deceptive Site Ahead
Fortunately Landau was observant enough to detect something fishy was happening, but the way these deceptive ads are hijacking Bing is clever enough to fool the average user.
The malicious URL that Bing is happy to promote can’t fool Google or Firefox. When I simply type the above URL into my Firefox browser I’m faced with a bold red page declaring “Deceptive Site Ahead” completely with details and an option to go back.
Chris Hoffman, EIC of How-To Geek was able to reproduce this error, and several users on Twitter have also complained about it. In his article he points out that the ad comes into rotation every few page refreshes. Because I can’t obtain that result on a fresh Windows 10 install, I suspect it may be targeting users geographically (I live in Europe).
I notified Bing Ads of this issue, and since Landau’s tweet went viral overnight, I have confidence the malicious ad will be removed from Bing Search within the next 24 hours.
But the real issue is that it keeps happening.
I searched the web for similar complaints and found an article from Bleeping Computer dated April 2018. The same type of hijack using Bing Ads from Edge, displayed as the top result, leading to a fake Chrome download that serves up some particularly nasty adware in its installer. The most noticeable difference was the domain name “NewChromeDownload.com.”
And then again 21 days ago from this user on Reddit. You guessed it. Same procedure, same structure, different domain name.
And then again about 4 months ago.
There’s a pattern here, and it’s a disturbing one. How many people have been affected by these short-lived but recurring hijacks that Microsoft is letting through to millions of people? It’s inexcusable that these types of ads aren’t vetted properly, especially when the majority of browsers automatically know these sites are unsafe.
Isolated issues like this — one search term in one browser with one search engine — may not seem significant. But when looking at Windows 10 as a whole, things look considerably darker. Microsoft is letting devastating file-deleting bugs through its Windows 10 updates even after being warned by its team of Windows Insider testers. The update process is unreliable and cumbersome compared to operating systems like Ubuntu.
What You Can Do
If you must use Windows 10, go directly to Chrome.com to download Google’s browser, or to Mozilla.org for Firefox. Commit those to memory or just open up Edge and browse directly to google.com. I also highly recommend installing a tracking blocker like DuckDuckGo. If you choose to use the Edge browser, remove Bing as your default search provider by following these steps.
At the very least, please do not use Bing to search for anything. Ever. You probably won’t after reading this.
I’ll update this article with any response from the Bing Ads team.