Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: People Will Click On Anything SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
People Will Click On Anything
Didier Stevens documented an interesting experiment, in which he purchased a Google ad that encouraged people to click on the ad to be infected. (Thanks for the pointer, Johannes!) Didier was curious to see how many people would actually click. More than you might think. It turns out, the "ad was displayed 259,723 times and clicked on 409 times. That’s a click-through-rate of 0.16%." Not bad at all, considering that the campaign cost around $23.

The ad said:
Drive-By Download
Is your PC virus-free?
Get it infected here!
Enticing potential victims via ads to visit a site that turns out to be malicious is  a popular attack vector. Exploit Prevention Labs documented one such example a few weeks ago, where a Google ad that seemed to advertise the Better Business Bureau took the victim to a malicious site before forwarding him or her to the actual BBB website. The malicious site used "a modified MDAC exploit to try to install a backdoor" and a keylogger on the victim's system.

Another example comes from Google's research paper that describes a malicious ad found on a video sharing site in December 2006. The page included a banner ad from a "large American advertising company. The advertisement was delivered in form of a single line of JavaScript that generated JavaScript to be fetched from another large American advertising company. This JavaScript in turn generated more JavaScript pointing to a smaller American advertising company..." The ad "resulted in a single line of HTML containing an iframe pointing to a Russian advertising company. When trying to retrieve the iframe, the browser got redirected, via a Location header" that directed the browser to retrieve malicious JavaScript.

Perhaps there is no need for attackers to create advanced redirection chains or elaborate deception schemes. As Didier Stevens' experiment confirmed, people will click on anything.

-- Lenny

Lenny Zeltser
InfoSec Practice Leader
Gemini Systems, LLC

216 Posts
May 16th 2007

Sign Up for Free or Log In to start participating in the conversation!