Skip Links

Network World

  • Social Web 
  • Email 
  • Close

People click on the darndest things

By Gregg Keizer , Computerworld , 05/18/2007
  • Share/Email
  • Comment
  • Print

Proof that users will click on virtually anything -- behavior that hackers depend on -- has been laid out by a researcher, whose Google ad touted instant infection. More than 400 clicked through.

In a six-month experiment by security researcher Didier Stevens, some users weren't warned off by a Google sponsored link that read:

New! Watch this Network World Webcast - Minimizing the Risk of Information Security Breaches: Best Practices for SOA Governance and Compliance - Live October 21

Drive-By Download

Is your PC virus-free?

Related Content

Get it infected here!

Of the 259,723 times the ad was viewed, it was clicked on 409 times, said Stevens.

To run the experiment, Stevens registered the "drive-by-download.info" domain -- ".info domains are notorious for malware hosting," he said -- set up an exploit-free Web page that displayed "Thank you for your visit!" and logged the number of views, and began a Google Adwords campaign using several combinations of the words "drive by download."

"No PCs were harmed in this experiment," Stevens swore. The experiment cost him just $23, or about 6 cents a click.

And he did everything but click the mouse for the careless. "I designed my ad to make it suspect, but even then it was accepted by Google without problem, and I got no complaints. And many users clicked on it," said Stevens. "Now, you may think that they were all stupid Windows users, but there is no way to know what motivated them to click on my ad."

Most exploits gamble on just this kind of laxness, and use bait such as a dubious attachment with an eye-catching title or a link to a supposedly sweet Web site. Late last month, in fact, security vendor Exploit Prevention Labs uncovered an ambitious scam where hackers bought Google keywords, then rerouted users to malicious sites.

But maybe that was overkill, said Lenny Zeltser, an analyst at the SANS Institute's Internet Storm Center. "Perhaps there is no need for attackers to create advanced redirection chains or elaborate deception schemes," said Zeltser. "As Stevens' experiment confirmed, people will click on anything."

Stevens has also posted a video of his experiment on YouTube.

For more enterprise computing news, visit For more gaming news, visit GamePro. http://www.gamepro.com/ Story copyright GamePro Media."http://www.computerworld.com/">Computerworld. Story copyright Computerworld, Inc.

  • Share/Email
  • Comment
  • Print
Partner Content

Brilliantly simple security and control solutions for email, web and endpoint

www.sophos.com

Stopping data leakage

Learn how to exploit your current security investment to control the information that flows into, through and out of your network.

Download the white paper.

Why detection rates aren't enough

Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.

Download the white paper.

Applications: taking back control

Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.

Learn more today.

Comments (6)
Login
Forgot your account info?

I'm sorryBy Anonymous on August 19, 2007, 3:04 pmI think I remember that ad--because I seem to recall clicking on it. Sorry about that. I run Apple OS X and don't worry a lot about viruses. Sometimes, I download...

Reply | Read entire comment

Not morons, just kid vandals (...OK, morons)By Anonymous on July 24, 2007, 4:26 am409 out of 250K is not at all surprising; it strikes me as low. One must realize how many sixth-grade boys are sitting in front of school computers. At least...

Reply | Read entire comment

... and some might have been looking for snarks.By TomS on July 22, 2007, 4:07 pmThere are a few people that actually go looking for for trouble. Had I seen that ad, I would have loaded up a VM, started the packet sniffer, launched Camtasia to...

Reply | Read entire comment

I'm not surprised by Stevens findingsBy Anonymous on May 22, 2007, 1:15 pmThough most people showed some restraint, it seems that others were tempted to "see what happens." Sad.

Reply | Read entire comment

Managed riskBy Howard on May 22, 2007, 10:27 amEvery so often, when I'm running on the linux side, I'll click on a suspicious link, knowing that the odds of infection are pretty small. Curiosity.

Reply | Read entire comment

View all comments

Add comment
Anonymous comments subject to approval. Register here for member benefits.
Have a NetworkWorld account? Log in here. Register now for a free account.

Most Read

View more Most Read

Videos

rssRss Feed

Latest News

rssRss Feed
Get instant email notification when white papers, webcasts, executive guides are added to our library. Stay informed and up-to-date with the latest on IT Technologies with Network World's Resource Alerts.
Network World,to go. Wherever you are. Breaking news delivered to your mobile device. Select the hottest topics in networking and start receiving Network World on your mobile device today.