Microsoft’s AI-powered Bing Chat may be vulnerable to malvertising, according to a recent report from The Hacker News. In this particular case, users were asking for particular software. Bing Chat sent them to an advertiser’s site rather than the official download site. The link provided by the advertiser took users to a malicious website. 

Malvertising, or malicious advertising, refers to the practice of using online ads to distribute malware or otherwise attack those viewing or clicking the ads. Hackers can create deceptive ads that insert harmful content in ways that the advertiser’s network is not expecting. Users who click on these ads can be exposed to malware or other cyber threats. Malvertising is nothing new.  It has been a significant threat for a long time. Some malicious ads have been known to take advantage of vulnerabilities on the user’s computer to infect the computer without a user even clicking the ad.  These are known as drive-by attacks.

What makes this report unique is this is the first time an AI chatbot has been known to serve up such an ad. People interacting with AI-powered chat engines tend to be more relaxed than when engaging more conventional search engines. The natural language responses make people feel almost like they’re talking to another person, maybe even a person they can trust. Being more relaxed means their defenses are down and they are more vulnerable. When a friendly chatbot suggests clicking a link the relaxed user is more likely to click it without suspecting it could be harmful. This raises concerns about the security and privacy of users engaging with chatbots. 

What you can do

When engaging AI powered chatbots remain aware that you’re not talking to your friend, or even a person. It’s a computer. That makes it subject to hacks and capable of unknowingly serving up incorrect and possibly malicious results. Any links it provides should be treated like links you get in emails–hover over them to see where they will take you before you click. Be especially cautions if it says it’s an ad. Drive-bys are a little harder, since you don’t have to click on them to be infected. The best advice to avoid those is to ensure your computer is up-to-date on all software patch updates. Drive-bys typically exploit vulnerabilities in software that haven’t yet been corrected by patch updates.