Security white hats, despair: users will run dodgy executables if they are paid as little as one cent.
more would allow their computers to become infected by botnet software
nasties if the price was increased to five or 10 cents. Offer a whole
dollar and you'll secure a herd of willing internet slaves.
The demoralising findings come from a study lead by Nicolas
Christin, research professor at Carnegie Mellon University's CyLab which
baited users with a benign Windows executable sold to users under the
guise of contributing to a (fictitious) study.
It was downloaded
1,714 times and 965 users actually ran the code. The application ran a
timer simulating an hour's computational tasks after which a token for
payment would be generated.
The researchers collected information
on user machines discovering that many of the predominantly US and
Indian user machines were already infected with malware despite having
security systems installed, and were happy to click past Windows' User
Access Control warning prompts.
The presence of malware actually increased
on machines running the latest patches and infosec tools in what was
described as an indication of users' false sense of security.
completing the tasks told a subsequent questionnaire they were
conscious of security risks leading to the conclusion that users were
happy to give up control of their machines for a pittance provided
compute power was not impacted.
It was fantastic news for bot
owners who could offer payment in exchange for exclusive control of more
stable zombie machines: such a model was dubbed a "Fair Trade Botnet".
demonstrate that, far from being consistent with their stated
preferences, in practice, users actually do not attach any significant
economic value to the security of their systems," research quartet
Nicolas Christina, Serge Egelmanb, Timothy Vidasc, and Jens Grossklags
wrote in a paper titled It’s All About The Benjamins (PDF).
ignorance could explain this state of affairs, we show that the reality
is much worse, as some users readily turn a blind eye to questionable
activities occurring on their systems, as long as they can themselves
make a modest profit out of it," the researchers write, adding that
"...many users seem to be content ignoring possible security compromises
as long as the compromised state does not noticeably impact the
performance of the machine."
The tool was reposted to Amazon's Mechanical Turk
every week for five weeks with the price paid for the work increasing
every seven days from $0.01 to $0.05, $0.10, $0.50, and finally $1.00.
Users could not participate if they had already done so in prior weeks.
users were expectantly willing to run the potential bot trojan at $1,
but still 22 per cent of the total sucker count played for one cent.
Seventeen users won a gold star by running the executable in a virtual machine.
raises questions about the effectiveness of well known security advice
when competing against the smallest of incentives," the researchers
Readers can listen to a podcast of Christin discussing the work at the 2014 Workshop on Security and Human Behaviour.