A spoof ad campaign offering surfers the chance to infect their PCs with malware has drawn plenty of interest.

In an experiment, a security researcher bought a Google ad campaign to promote a site ostensibly offering to infest visitors' Windows PCs with computer viruses. The "click here to be infected" campaign was displayed 259,723 times and clicked on 409 times, at a click-through rate of 0.16 per cent or around one in 500. The cost of the six-month campaign was $23, or around 5c per chance to infect a PC.

The ad was pretty unambiguous in its intent:

Drive-By Download Is your PC virus-free? Get it infected here!

Users clicking on the ad were directed to the domain drive-by-download.info domain. Domain featuring .info are notorious for hosting malware. In this case, no malware or scripts were ever hosted on the site, but those visiting the site weren't to know it was just an experiment.

It'd be nice to think that those that clicked on the ads were cyber-savvy types with fully patched systems who were simply curious about the bizarre offer. But we doubt it.

As the SANS' Institute's Internet Storm Centre notes, the experiment provides evidence that some people will "click on anything".

Tricking users into visiting sites contaminated with malicious scripts has begun to outpace malware-infected email as the main means to deliver malware over recent months. Didier Stevens' experiment provides evidence that such malware trickery might be effective even without convoluted redirection chains or elaborate deception schemes, further illustrating how dangerous it is to visit "dodgy" websites. ®

Related stories

• Malware miscreants target parked domains (14 August 2007)
• Google acquires 'sandbox' technology for secure browsing (29 May 2007)
• Hackers debut spam and virus sandwich (26 April 2007)
• Interview 0wning Vista from the boot (26 April 2007)
• McAfee maps malware risk domains (12 March 2007)
• Workshop Gadzooks! My PC has the pox (11 November 2004)