Proof that users will click on virtually anything -- behavior that hackers depend on -- has been laid out by a researcher, whose Google ad touted instant infection. More than 400 clicked through.
In a six-month experiment by security researcher Didier Stevens, some users weren't warned off by a Google sponsored link that read:
Is your PC virus-free?
Get it infected here!
Of the 259,723 times the ad was viewed, it was clicked on 409 times, said Stevens.
To run the experiment, Stevens registered the "drive-by-download.info" domain -- ".info domains are notorious for malware hosting," he said -- set up an exploit-free Web page that displayed "Thank you for your visit!" and logged the number of views, and began a Google Adwords campaign using several combinations of the words "drive by download."
"No PCs were harmed in this experiment," Stevens swore. The experiment cost him just US$23, or about 6 cents a click.
And he did everything but click the mouse for the careless. "I designed my ad to make it suspect, but even then it was accepted by Google without problem, and I got no complaints. And many users clicked on it," said Stevens. "Now, you may think that they were all stupid Windows users, but there is no way to know what motivated them to click on my ad."
Most exploits gamble on just this kind of laxness, and use bait such as a dubious attachment with an eye-catching title or a link to a supposedly sweet Web site. Late last month, in fact, security vendor Exploit Prevention Labs uncovered an ambitious scam where hackers bought Google keywords, then rerouted users to malicious sites.
But maybe that was overkill, said Lenny Zeltser, an analyst at the SANS Institute's Internet Storm Center. "Perhaps there is no need for attackers to create advanced redirection chains or elaborate deception schemes," said Zeltser. "As Stevens' experiment confirmed, people will click on anything."
Stevens has also posted a video of his experiment on YouTube.