Didier Stevens documented an interesting experiment, in which he purchased a Google ad that encouraged people to click on the ad to be infected. (Thanks for the pointer, Johannes!) Didier was curious to see how many people would actually click. More than you might think. It turns out, the "ad was displayed 259,723 times and clicked on 409 times. That’s a click-through-rate of 0.16%." Not bad at all, considering that the campaign cost around $23.
The ad said:
Drive-By DownloadEnticing potential victims via ads to visit a site that turns out to be malicious is a popular attack vector. Exploit Prevention Labs documented one such example a few weeks ago, where a Google ad that seemed to advertise the Better Business Bureau took the victim to a malicious site before forwarding him or her to the actual BBB website. The malicious site used "a modified MDAC exploit to try to install a backdoor" and a keylogger on the victim's system.
Perhaps there is no need for attackers to create advanced redirection chains or elaborate deception schemes. As Didier Stevens' experiment confirmed, people will click on anything.
InfoSec Practice Leader
Gemini Systems, LLC
May 16th 2007
1 decade ago