Earlier this week, Didier Stevens gave me a heads up on an experiment (if you could call it that) he performed using Google AdWords.
You see, a few weeks ago there was a story written by Brian Krebs at the Washington Post which revealed that Google AdWords was being used as a vector to infect Windows machines.
So, after this news broke you would think that a)Google would do more to police the content of Google AdWords and b)that users would be more attentive in what Google AdWords they clicked on. Not so.
Didier, ever being the smart aleck, set up a Google AdWords campaign 6 months ago with an ad that stated expressly “Drive-By Download Is your PC infected? Get it infected here! drive-by-download.info”. Once the ad was clicked, the user was taken to a landing page which simply thanked them for their visit and logged each visitor. No visitor was ever infected.
According to Didier…
During this period, my ad was displayed 259,723 times and clicked on 409 times. That’s a click-through-rate of 0.16%. My Google Adwords campaign cost me only €17 ($23). That’s €0.04 ($0.06) per click or per potentially compromised machine. 98% of the machines ran Windows (according to the User Agent string).
As a bonus, Google has taken no action against Didier’s curiously worded AdWords ad. Nothing at all. That says a lot about Google’s quality assurance.
I have been working with AdWords for the past couple of years and all that I can say it that I find Didier’s experiment so hilarious in so many ways, I cannot even begin to describe it.
Update 5/16: Didier made Slashdot this morning and I’m seeing traffic from his previous spamdexing post. And for the curious, here’s my original post about mocked up Google SERPS on .info domains and putting mine and Didier’s findings together.
[tags]Didier Stevens, Google, AdWords, AdWords quality control, Windows exploits [/tags]