Social experiments are common. In the security world, many experiments are aimed at a person’s reaction to security risks. One of the leading online risks is the exposure to Malware and identity theft. Didier Stevens recorded the results of his experiment in which he told people by clicking a link, that their computer would be infected. The results were as to be expected, several hundred people clicked the link.
For the cost of twenty-three dollars, a simple advertisement was placed on Google. The reason for the experiment was that Didier was curious to see how many people would click on the ad. There were almost two hundred sixty thousand views for the ad, and out of that count, over four hundred people clicked the link. The ad when displayed read, “Drive-By-Download Is your PC virus-free? Get it infected here!”
The number of times the ad was clicked shows that hiding malicious links inside legitimate looking advertising does indeed work. In this case, it was only a test and if you read the ad closely, it would appear to be either a typo or a joke. In a recent study by Google, one in ten websites are carrying malicious code. Monsters and Critics reported on the study, and the exact nature of the experimental ad was listed.
“In terms of returned numbers of note, the study showed that some four hundred fifty thousand of those tested sites were shown to include “drive-by downloads” designed to automatically implement unwanted additions into a visitor’s system, installing malicious code – including the likes of spyware – while the unfortunate user remained blissfully ignorant to the stealth attack.” – M&C Report Google: 1 in 10 Web pages carry malicious code
Didier explained how he started this experiment. The first step was to buy the domain, drive-by-download.info, then set up a web server to display a simple thank you page with a counter. Lastly, the Google Adwords campaign ran for six months.
Lenny Zeltser of Gemini Systems said of the experiment, “Perhaps there is no need for attackers to create advanced redirection chains or elaborate deception schemes. As Didier Stevens' experiment confirmed, people will click on anything.” Scary thought, but he may be right.
“I designed my ad to make it suspect, but even then it was accepted by Google without problem and I got no complaints to date, and many users clicked on it. Now you may think that they were all stupid Windows users, but there is no way to know what motivated them to click on my ad. I did not submit them to an IQ-test,” Stevens said.
ChrisMay 18th, 2007 - 00:50:37
The clicks were probably from other secutrity firms checking out the site.
Report this comment