Table of Contents
Bing, Microsoft’s famous search engine, is being heavily mishandled in a massive web traffic monetization campaign orchestrated by cybercriminals. Computers running macOS are in the epicenter of this plot. The shady scheme hinges on a piece of malware that silently installs itself on Macs and redirects web browsers to bing.com without the users’ blessing.
This nuisance occurs every time the victim runs a web search via the address bar in Safari, Google Chrome, or Mozilla Firefox, even if the search service of choice listed in the browser’s settings is absolutely different. This inconsistency stems from a takeover of the web surfing preferences executed by the malicious application.
On a side note, Bing isn’t in cahoots with malicious actors over this hoax at all. What’s the whole point then? It turns out that the crooks use the trusted search provider as the landing page to smokescreen something trickier that’s happening during the redirect process.
Insights into the Bing search redirect workflow
The malefactors follow a multi-pronged tactic in which Bing is the most conspicuous element, and yet it’s just a sideshow. Each instance of the unwelcome traffic redistribution involves several interstitial URLs that denote advertising networks and domains whose purpose is to dispatch the hijacked Internet traffic according to a pattern remotely specified by the ne’er-do-wells.
As victims file complaints against these domains, some of them end up getting blacklisted over time. To dodge this roadblock, the Bing redirect campaign operators switch to new pages of that kind once in a while. However, a few survive these tweaks and stick around for many months on end. These durable services include searchbaron.com, searchmarquis.com, searchitnow.info, and searchsnow.com.
When a browser is being forwarded, these interim pages are resolved fleetingly before Bing shows up, which explains why this process may be hard to notice with the naked eye. The above screenshot reflects this brief moment. These auxiliary domains are the pivot of the entire hoax because they steer the enslaved web browser through low-quality ad networks that pay for these fraudulent hits.
Intricate infection chain
Let’s get something straight: the loop of unauthorized redirects leading to Bing is a symptom, not the root cause of the problem. It is always precipitated by a malicious app that slithers into a Mac without any direct permission requests. Although this trespass seems covert, it relies on user interaction to a certain extent. A rogue software bundle is what allows the malware to sting a system quietly.
This scheme revolves around installation clients that appear to promote a single harmless program but conceal one or several more applications under the same hood. These sketchy installers deliberately omit notifications about dubious extras while placing heavy emphasis on the “awesome” freeware component such as a streaming video downloader or an Adobe Flash Player update.
However, once you deselect the default installation option to customize the setup, you will discover that the tool isn’t fair and square about what it does. It turns out to be riddled with adware and browser extensions that impose web preferences of their own, including the search engine, homepage, and new tab page settings. This is exactly how the Bing redirect starts holding sway over browsers.
A stubborn threat
To maintain persistence on a Mac, this virus surreptitiously exploits the command-line tool to create a new configuration profile. Ideally, this feature is supposed to help admins control multiple computers on a network. Malware operators abuse it to specify the dodgy behaviors of the host system. For instance, the malicious device profile is configured to manage the default settings in Safari, Chrome, and Firefox. Unsurprisingly, even if you replace the rogue web preferences with correct ones, your browser will continue to be rerouted to Bing until you get rid of the profile (the how-to will be provided further down)
Bing search redirect removal steps
As previously mentioned, nonstop rerouting to bing.com isn’t only an outcome of browser misconfiguration. It’s a malware issue that won’t discontinue until the underlying unwanted application is removed from your Mac. The following steps will help you address the problem for good.
- Go to Utilities > Activity Monitor. Scroll through the list of processes and try to spot the malicious one. That’s typically an item with an unfamiliar, gibberish-looking name that has nothing to do with the system or third-party applications running on your Mac.
- Select the process, click the X icon in the upper-left corner of the window, and use on-screen prompts to force quit it.
- Click Go in the Finder menu bar and select Applications. Look for a suspicious app you don’t remember installing recently. Once you identify the troublemaker, send it to the Trash.
- Use the Finder’s Go drop-down menu once again and choose Go to Folder on the list, as illustrated below.
- Enter ~/Library/LaunchAgents in the dialog box that has appeared. This will bring up your LaunchAgents directory. Look for dubious *.plist files and move them to the Trash.
- Use the Go to Folder feature to open the following system paths one by one: ~/Library/Application Support, /Library/LaunchDaemons, and /Library/LaunchAgents. Check these folders for malware-related files and delete them.
- Go to System Preferences > Users & Groups and click the Login Items Select the evil application and delist it by clicking the “minus” button.
- Go to System Preferences > Profiles. Find a suspicious configuration profile and click the “minus” symbol to eliminate it.
- Empty the Trash.
Fix the browser takeover problem
Having eradicated the malicious application, you are halfway through the cleanup. The next move is to get your malfunctioning web browser back on track. The most effective way to stop Bing search redirect virus from hijacking Google Chrome or Mozilla Firefox on a Mac is to reset the browser to its original state. In the case of Safari, which lacks a one-click reset option, you will need to clear its caches, erase the history, and delete all data stored by websites.