Didier’s Drive-by AdWords

Posted by joy


Earlier this week, Didier Stevens gave me a heads up on an experiment (if you could call it that) he performed using Google AdWords.

You see, a few weeks ago there was a story written by Brian Krebs at the Washington Post which revealed that Google AdWords was being used as a vector to infect Windows machines.

So, after this news broke you would think that a)Google would do more to police the content of Google AdWords and b)that users would be more attentive in what Google AdWords they clicked on. Not so.

Didier, ever being the smart aleck, set up a Google AdWords campaign 6 months ago with an ad that stated expressly “Drive-By Download Is your PC infected? Get it infected here! drive-by-download.info”. Once the ad was clicked, the user was taken to a landing page which simply thanked them for their visit and logged each visitor. No visitor was ever infected.

According to Didier…

During this period, my ad was displayed 259,723 times and clicked on 409 times. That’s a click-through-rate of 0.16%. My Google Adwords campaign cost me only €17 ($23). That’s €0.04 ($0.06) per click or per potentially compromised machine. 98% of the machines ran Windows (according to the User Agent string).

As a bonus, Google has taken no action against Didier’s curiously worded AdWords ad. Nothing at all. That says a lot about Google’s quality assurance.

I have been working with AdWords for the past couple of years and all that I can say it that I find Didier’s experiment so hilarious in so many ways, I cannot even begin to describe it.

Update 5/16: Didier made Slashdot this morning and I’m seeing traffic from his previous spamdexing post. And for the curious, here’s my original post about mocked up Google SERPS on .info domains and putting mine and Didier’s findings together.

[tags]Didier Stevens, Google, AdWords, AdWords quality control, Windows exploits [/tags]


3 Responses to “Didier’s Drive-by AdWords”

  1. Katy G. B. Says:

    *hugs* &hey,
    i just found your blog &podcasts. i’ve been on a constant search for other uber-chic-geek-chicks ™-lol not really, but maybe (c), :). we need a way _free_ to get together, meet, an etc. well anyways your blogs in my rss feeder and your podcast is in democracy… i even sent you off to stumble-upon. see i really do like your blog, lol. anyways i’m writing mainly cause i’m wanting to know if you’re still doing your podcast? *hopes-so*. btw, i’m planning on starting a geekette podcast, if you’d be interested in talking more and etc i’d love to talk. i’m thinking like something like a simply skype ranty-geeky-nerdy-girl(y), lol, kinda podcast. but i’m not like totally psyched about like a one girl cast/podcast(like whatever i know that you’ll know what i mean). anyways killer blog and good luck &goodness keep-up the podcast. but like whatever, i hope i’ll hear from you. take care & lots of *hugs*

  2. Sigivald Says:

    What action could Google really take that wouldn’t just make them a butt of jokes?

    He was not, after all, actually infecting anyone. Google is not, perhaps, so clueless as to smack him for pointing that out; the only publicity that would make is unpleasant.

  3. Acer Says:

    I agree with you guy. “That’s €0.04 ($0.06) per click or per potentially compromised machine.” That says a lot about Google’s quality assurance.

Leave a Reply