Now posts ↓

Tuesday 15 May 2007

Drive-by Download? 0.16% say 'yes please'

If this isn't a screaming advert for the need for user testing I don't know what is ... from Wired

Hundreds Click on Google Ad Promising to Infect Their PCs

Drivebydownload1 Best white hat scam of the month: security researcher Didier Stevens bought a Google ad six months ago that said, "Is your PC virus-free? Get it infected here!" 409 people clicked on the ad -- people who would have been owned up or infested with malware had Stevens been a true scammer instead of a security geek with a weird sense of humor. Stevens writes:

During this [six month] period, my ad was displayed 259,723 times and clicked on 409 times. That’s a click-through-rate of 0.16%. My Google Adwords campaign cost me only €17 ($23). That’s €0.04 ($0.06) per click or per potentially compromised machine. 98% of the machines ran Windows (according to the User Agent string).

It's hard to say whether people clicked on the ad because they assumed it was a joke, or because they simply misread it as an anti-virus ad. Still, the numbers are pretty scary. The other shocker here is that Google, which does quite a bit of policing on ad content, didn't notice the scammy ad. Stevens says, "I designed my ad to make it suspect, but even then it was accepted by Google without problem and I got no complaints to date." Apparently, he's still running the ad, with slightly different experimental parameters. Can't wait to see what he finds out next . . .

Get It Infected Here Experiment [via Didier Stevens]

Google itself has exploded the malware via websites issue - basically leveraging their power to get website security dealt with by websites.

But, of course, this sort of thing with AdWords undermines their revenue base directly — because it ran for six months un-noticed.

User testing? The comments within geekdom confirm this — can't believe user behaviour and hence wouldn't take account of it ("That's 409 morons who need to be removed from the gene pool."), especially the sort of 'strange' behaviour exhibited by a minority which nevertheless screws up systems.

But Eddy Williams, an expert in this aspect of user behaviour, confirms its normality.

No comments:

Post a Comment