Will you click an ad that read something like this? “Drive-By-Download. Is your PC virus-free? Get it infected here!” Maybe not but in a six month experiment by a security researcher, the same ad was clicked on 409 times out of 259,723 times it was viewed. Proof that users will click on virtually anything even to the point their PCs gets infected.

In an experiment, a security researcher Didier Stevens bought a Google ad campaign to promote a site ostensibly offering to infest visitors’ Windows PCs with computer viruses. The ad earned a click-through rate of 0.16 percent or around one in 500 and cost him just $23, or about 6 cents a click. “No PCs were harmed in this experiment,” Stevens swore.

“I designed my ad to make it suspect, but even then it was accepted by Google without problem, and I got no complaints. And many users clicked on it,” said Stevens. “Now, you may think that they were all stupid Windows users, but there is no way to know what motivated them to click on my ad.”

Lenny Zeltser, a security consultant at Gemini Systems, said: “Perhaps there is no need for attackers to create advanced redirection chains or elaborate deception schemes. As Stevens’s experiment confirmed, people will click on anything.”

Google has since removed the ad, stating that it violates AdWords editorial guidelines.

The reason for running the experiment and publishing his results now is that this technique of putting up ads for what turns out to be drive-by downloads is being used in the wild. Steven said most malicious hackers count on this kind of reaction from users and hide exploits in their ads. People need to be careful not to fall for such gimmicks.

Stevens said he’s sure he could get much more traffic if he invested more in his Google Adwords budget and came up with a better designed ad.

Stevens has also posted a video of his experiment on YouTube.

Related:

Entry was posted on Saturday, May 19th, 2007 at 9:14 pm under Security, Technology.

Read more entries by Ruben Francia.
Stumble It!