Cybercriminals could buy their way into your computer for less than a dollar, a new academic study has found.
The study, led by Nicolas Christin at Carnegie Mellon University, Pittsburgh, examined how much money they would have to offer home users to unquestioningly install software onto their computers or other devices.
“We asked users at home to download and run an executable [program] we wrote without being told what it did and without any way of knowing it was harmless,” explained Christin. “Our goal was to examine whether users would ignore common security advice… if there was a direct incentive.”
The software offered by the researchers was harmless, but if they had been genuine cybercriminals, it would have been malware designed to turn home users computers into ‘bots’ – computers under some degree of remote control, used to distribute more malware and participate in fraud. Christin and his team used Amazon’s Mechanical Turk software marketplace to promote their ‘Distributed Computing Client’.
The advert posted with the software claimed users would “get paid to do nothing” and required them simply to run the software for one hour, after which it displayed a code to enable them to claim payment. Payments offered ranged from $0.01 to $1.
Access was restricted to users with Microsoft Windows XP or later; in Windows Vista or later, users would have to acknowledge a warning notice that the software could be dangerous.
The results showed that 22% of people who saw the offer downloaded and ran the software for just $0.01. When the reward offered was increased to $0.50, that figure rose to 36%, and for a dollar, 43% of people would run the mystery software.
Malware bundled with the software could have included Cryptolocker software, a type of malware which locks users out of their own systems and holds them to ransom. The average ransom cost in the US is $300.
Only 17 out of 965 people who downloaded the software did so in a ‘virtual environment’, a setup designed to minimize the potential damage that malware could cause. Only one person directly expected the software to be potentially harmful, according to surveys conducted after the downloads.
Engadget points out that users of the Mechanical Turk site are ‘already eager for money’ and note that it ‘may be tougher to pay for control of a PC when the offer comes out of the blue’, but conclude that the research is a ‘reminder to always treat unfamiliar code with caution, no matter how much profit you’ll make by installing it.’