0

IT security professional Didier Stevens has been conducting an experiment into computer user stupidity by running a Google Adwords campaign which offers to infect your PC for free. The advert actually read:

Drive-By Download
Is your PC virus-free?
Get it infected here!

Which should be enough to stop all but the terminally dumb from clicking upon it, yet hundreds of people did just that during the six months of this remarkable experiment into sadly predictable user behavior. The user agent string which identifies the site visitor to the server, and includes browser application information, shows that an amazing 98 percent of those stupid folk were running Windows. Now OK, I know that Windows is the dominant OS, and OK I know that there are more newbies running Windows as well, but even so that is something of an eye-opener is it not? Are Linux and Mac users just more wary, more educated in security issues or less gullible?

Whatever, the one thing that the experiment proves beyond nay reasonable doubt is that there are idiots out there who are so click happy that even the direct threat of infection is not enough to prevent them from doing so. No wonder, then, that the botnet problem remains so great, that spam continues to grow in volume, that Microsoft can get away with selling an entire OS on the basis of it being more secure than the last one which we never really got around to patching up properly.

What Didier Stevens did was simple, he purchased the drive-by-download.info domain and published a web page that just contained the text ‘thank you for your visit’ and nothing else. Linking this to a Google Adword campaign proved both easy and affordable, with a click-through rate of 0.16% it cost him $23 over that six month period. Hardly a fortune considering he could have infected hundreds of computers and set up a rentable botnet as a result. Stevens is quick to point out here that “no PCs were harmed in this experiment” which executed no drive-by download scripts and installed no malware. You can see a video of the advert in action, posted by Stevens on YouTube.

Just as worrying as the 409 people who clicked upon the advert, is the fact that Google was more than happy to run it despite it being deliberately designed to be as suspicious as possible. Although Google did eventually pull the campaign, after six months and when Stevens published his results, it allowed it to run unchallenged for all that time.

This is made all the more embarrassing for Google as the revelations come at much the same time it has published a report, "The Ghost In The Browser: Analysis of Web-based Malware" (PDF), written by Google researchers which warns of the dangers of drive-by downloads. "Even a single visit to an infected website enables the attacker to detect vulnerabilities in the user’s applications and force the download a multitude of malware binaries" the report states. It found that of 4.5 million URLs that were analyzed in depth, 450,000 were launching successful drive-by malware downloads...

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

5
Contributors
6
Replies
7
Views
10 Years
Discussion Span
Last Post by jwenting
0

I think it was clicked on more for the curiosity factor than people who were just too click happy for their own good.

0

Possibly, although my experience suggests that you really shouldn't underestimate the capacity for stupidity when it comes to the clicking of anything online, even an advert for a nice free infection.

0

Given that almost 98% of workstations used by the (young and) uninformed are running Windows it's no surprise that that's the majority of respondents...

It's the same target audience as any other malware author. "I love you" mass emails, "Britney Spears naked" mass emails, they all target exactly the same users and with similar success.

Of course the vast majority of well informed and well educated people also run Windows.

And oh, the only reason a larger percentage of stupid people don't run Macs is the price, with availability also being a factor.
Those are generally people who are extremely sensitive to status and marketing, and Macs are "kewl", but their high price and generally poor availability through mass market channels make them less easy to get for that same audience.

"I think it was clicked on more for the curiosity factor than people who were just too click happy for their own good. "

I'd love to have your confidence in people. But experience with end users has led me to believe otherwise.
There is no bound to the stupidity of the average person, especially when it looks like (s)he can get something cheap (or even better, for free).
Hordes will loose all sense when they see the words "free" or "discount" and purchase whatever it is no matter the actual price or whether it's something they could even theoretically use.
One prime example was a large sign outside a store I saw some 15 years ago. I loudly proclaimed that handbags were discounted from 29.95 to 39.95.
I asked the shopkeeper about that, and he responded that business had never been so good before he put up that sign. People (mainly women) were blinded by the sign's statement of a discount, didn't even read the actual before and after price, and bought the things like mad.

Noticed the same thing a few years later when I got a brochure for a new investment/savings account from a (until then) unheard of company.
It looked suspicious so I did the math about their claims, turned out I was right and the total payment into the account was higher than the promised amount you'd get after 5 years (never mind compound interest and dividends).
Yet they signed up thousands of people in just a few weeks, based solely on the large numbers and wild claims in that brochure.

Or what about the student who wanted to show how easy it is to get people to sign petitions about supposed dangers of chemicals.
He went around campus asking for signatures on a petition to ban the dangerous substance of di-hydrogen monoxide.
He got thousands of signatures from not just fellow students but professors and staff as well, including chemists and physicists.
Of course the substance they signed up to get banned is water...

So no, I'm not surprised that people fall for things like that, not at all.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.