Surfers click on the darndest things

by Paul Jay, CBC news online

Last month Google was forced to cancel paid advertisements after it was discovered phishers were using them to redirect users to sites containing malicious software.

The ads were paid for using Adwords, Google's service that lets advertisers pay to have keywords attached to their name and appear on the right-hand side of Google's search page as "Featured Advertisers."

Curious to understand the mind of the internet surfer, Finnish computer specialist Didier Stevens placed his own ad through adwords. And unlike spammers, Stevens didn't hide his intent: The ad said "Is Your PC virus-free? Get it infected here!"

Amazingly, 409 people did.

Luckily for them, Stevens' site (entitled the less-than-subtle drive-by-download.info) didn't actually have any infections waiting. But his experiment over a six-month period demonstrates how easy it is for malicious sites to attract visitors. He breaks down the numbers in his his blog:

During this period, my ad was displayed 259,723 times and clicked on 409 times. That’s a click-through-rate of 0.16%. My Google Adwords campaign cost me only €17 ($23 U.S.). That’s €0.04 ($0.06) per click or per potentially compromised machine. 98% of the machines ran Windows (according to the User Agent string).

As some readers to his blog pointed out, the computer users likely saw the words "virus-free" and "PC" and didn't bother to read the whole sentence.

Perhaps they should start doing that.