Click Here To Infect Your PC!

Email me for FREE viruses writes "Just how many people would click an ad saying "Is your PC virus-free? Get it infected here!"? According to the security researcher who ran that very ad on Google for 6 months, 0.16% (409 of 259,723) would click on it. 98% of those people were running Windows. The Google Adwords campaign cost $23 in total, which works out to $0.06 per infection had the site actually been malicious."

Re:It's hardly a surprise

[mrbluze]

It's like sex. People know full well they'll get infected, they click, they get infected, they spend several months or years in denial until their body slows to a crawl.

statistics

[jonastullus]

sorry, couldn't RTFA because the link text was kinda prohibiting.

the poster makes it sound as if the conclusion from the statistic is something like "oh my god, windows users are sooo dumb". but also quoting the percentage of all users using windows would reveal a prior probability of something in the 90s already. so, assuming that the "experiment" has an error greater 0, the deviation between the prior probability and 98% has almost no significance...

Oh dear.

[massivefoot]

This just goes to show, not matter how much you warn people they're about to do something really dumb, the still will. How many people do you think read that advert, though "No, it can't possibly mean that..." and then clicked on it to see?

Underserved group

[Nymz]

At a click rate of 0,16% - about one in 600 - I have to wonder if not a fairly large portion is simple click errors.

At first I thought the same thing, just random misclicks. But then it hit me, there are a large number of users on the internet that don't have the know-how to install a virus on a computer of someone they hate, like an uppity coworker.

Imagine a bussiness model that would allow anyone to simply 1-click and install a virus (not a feature, those are patentable). Revenue would be generated with advertisments downloaded by the trojan, that would popup at random times on the victims computer. In essence, the victim would have to pay for the service. Brilliant!

Browser stats

[locofungus]

The comments give the browser stats:

335 - some version of IE
52 - Some version of Firefox
5 - other

That gives Firefox a 15% share.

Tim.

Malicious intent

[canb]

I think it might very well be possible that many of those clicks are made from computers that are not owned by the user. Like maybe the school's computer or a friend's (who has wronged you) computer that the user (who has access, but not the know-how of how to infect)would want to harm. So I'd wager that quite a few of those clicks would not qualify as a completely idiotic act.

Re:Hmmm

[Imaria]

I was thinking the same thing; this actually bodes far better for common sense than I would have imagined otherwise.

You pay all this money for AV software..

[QuantumG]

sometimes you just like to know that it is working.

I wonder if average users of AV software look at their "quarantined files" and do a rough calculation of how much each of them cost..

"Hmm, I paid $60 for AV software this year and I've had a grand total of 4 files quarantined.. that's $12.50 per file."

I guess not, as 99% of people probably have zero files quarantined, not counting the false positives (I know I do).

This is only a test....

[Torodung]

It is possible that some folks were testing their antivirus/patch status when they clicked? How many of them were loading the web page for forensic analysis?

Security "white hats" do things like that you know. All those hits could be FBI agents for all we know. ;^)

--
Toro

summing up the numbers..

[anonymous_but_brave]

From a browser perspective, 52 clicks were Firefox and 335 were IE (added up from TFA). So, 13% of those who clicked were using Firefox. From what I recall, 10-15% of all internet surfers use Firefox... I personally would have suspected a larger proportion of IE users.

Huh?

[julesh]

Last time I ran a Google Adwords campaign, they'd drop your advert if you get less than a threshold clickthrough rate. I think it was 0.5%. It was certainly higher than 0.16%. So how did they do this? Have Google dropped that restriction?

assuming they are humans

[Anonymous Coward]

of course these clicks couldn't be from Spiders/Robots, a lot of rogue bots/spiders use the IE UserAgent so as to fool logs, they tend to click on every link (adverts and hidden spam trap links included) i know ive grepped my logs and see so-called IE "users" clicking on every single link and download on my site within 10sec, all the time (must be fast readers or a bot) look for MFC in the UA string too as this is a sign of the IE COM component which is what a lot of the bots/spiders use for their dodgy page slurping

so by the time you remove the bots from these stats you are probably left with 3 genuine clicks and a load of "LOL this advert cannot be serious, lets have a look" clicks

Re:This is only a test....

[ben there...]

If I had seen it I'd click it. Just for the hell of it. Not because I think Firefox is completely invulnerable, but because it has a low probability of infecting me. Best case I cost some moron some money. Worst case I find a hole in Fx. Why not? That is, if I paid any attention whatsoever to Google Ads.

or cache pre-fetch

[jamesh]

Would any aggressive cache pre-fetch engines follow links like this?

Re:Browser stats

[ArsenneLupin]

Ha! I was going to suggest that firefox users are more "educated" and less likely to click on a link.

It's not so simple. Their education allows them to know that they should not click on such a link in IE. But it also tells them to run Firefox. While running Firefox, especially on Linux, they would have no risk, and curiosity will win.

It might be more interesting (but harder to obtain) a statistic broken down not only by the browser which user is currently using, but also by browser which they usually use. Here an "usual Firefox user currently stuck on IE" might be less likely to click on such a link. But such data can unfortunately not be obtained, short of asking user directly.

Hmmm, and even in that case, the behavior might not be what would be expected. A "usual Firefox user currently stuck on IE" might still click on that link, in order to teach the party who stuck him on IE a lesson... Tricky, tricky...

On the whole though I'd assume that there were the roughly same proportion of idiots in each camp

Not necessarily. As shown above, both idiots and smart people might click on the link. But they would do so for different reasons.

Re:How many slashdotters

[Columcille]

That was my thought. Had I seen something like this, chances are I would have clicked it just to see what they were trying to do.

I worked with a guy...

[httpamphibio.us]

He comes into work one day and you can tell by looking at him that he's pissed. He goes into the break room to get ready for the shift so I go back there and ask him what's wrong.

He says, "I'm need a new ****ing computer."
I ask why...
"because the one I have now is too slow. I can't use the web because I get hundreds of popups."
I tell him that's a pretty easy thing to fix and off to burn a CD and write up some directions for him.
He tells me that won't work... again, I ask why.
"Because I'm ****ing sick of Microsoft."
I tell him I totally understand that, but that his problem with the pop-ups is pretty easy to fix.
He says, "No, it's not. I click on all the Windows that ask me if I want to remove the viruses from my computer and they are always charging me $20-$40 per virus. I spent almost $400 last week!"

Another computer savvy employee had joined the conversation by this point and we both looked at each other in complete disbelief. The guy wasn't joking...

Re:Sad...

[c_forq]

I remember using Sub7 in High School, a friend and I infected an entire computer lab and would mess with random people during our computer literacy class. My favorite tricks were the flipping the monitor image and the matrix-screen thing. It lasted a few months before the anti-virus started detecting and fixing our backdoor. A couple years after I graduated a kid was expelled from my school for doing about the same thing, so I'm glad we were never caught.

I think I was the Safari user.

[Gary W. Longsine]

Performed for curiousity sake from a test system, re-imaged shortly thereafter.

I wonder how many of the IE hits are from ad-clicking bots pretending to be IE. I think those things do some amount of random ad poking, to hide their tracks.

Re:How many slashdotters

[gad_zuki!]

Me too. Only 409 people clicked on it, not 400,000. His click-through rate was terrible. As much as we're supposed to mock n00bs here, I wouldnt be surprised if most of these clicks (if not all) were from curious geeks.

Yes, they are comparable.

[Shadowlore]

For most users, yes that is among the worst, though not the worst.

Worse than reinstall: Having your private records emailed to others

Especially if your private records are government espionage records. Say your machine had a document you were preparing for your superiors detailing activities of some of your undercover intelligence operatives in foreign countries. Say the computer infection sent that information out. Worst case under this scenario: death of your agents, and death of your fellow citizens as they get slaughtered due to your government not knowing the details of an impending attack. Indeed, in this worse-case scenario the fatal STD is the minor incident since potentially thousands or even millions could be killed as a result of your machine getting sick.

What if your personal files were mailed out and the information in them led to the death of yourself or another? Say you had incriminating information that if others found out they may get violent over? What if that was emailed out.

I've seen this scenario on a less-than-fatal happen. I've seen people's Windows PCs get infected and their personal financial records emailed out to everyone in their address book.

What if your Windows Mobile device gets a virus on it locking your phone - preventing you from placing that call to 911? You or others (or both) could die from not having emergency medical arrive in time, if at all.

Most STDs are not fatal, even if untreated. Most Windows machine infections are not fatal, even if treated. But to say that they can not be is to not look at the potential or to consider the extent of which computers are integrated into our lives.