Paying People to Infect their Computers

Research paper: "It’s All About The Benjamins: An empirical study on incentivizing users to ignore security advice," by Nicolas Christin, Serge Egelman, Timothy Vidas, and Jens Grossklags.

Abstract: We examine the cost for an attacker to pay users to execute arbitrary code -- potentially malware. We asked users at home to download and run an executable we wrote without being told what it did and without any way of knowing it was harmless. Each week, we increased the payment amount. Our goal was to examine whether users would ignore common security advice -- not to run untrusted executables­ -- if there was a direct incentive, and how much this incentive would need to be. We observed that for payments as low as $0.01, 22% of the people who viewed the task ultimately ran our executable. Once increased to $1.00, this proportion increased to 43%. We show that as the price increased, more and more users who understood the risks ultimately ran the code. We conclude that users are generally unopposed to running programs of unknown provenance, so long as their incentives exceed their inconvenience.

The experiment was run on Mechanical Turk, which means we don't know who these people were or even if they were sitting at computers they owned (as opposed to, say, computers at an Internet cafe somewhere). But if you want to build a fair-trade botnet, this is a reasonable way to go about it.

Two articles.

Posted on June 19, 2014 at 6:28 AM • 32 Comments


Ernesto GonzalezJune 19, 2014 6:44 AM

Illegal botnet? Hell, wait until Advertisers/Facebook/Google realize this is feasible. Why waste all that money on ads, commercials, and various browser/user tracking methods, just pay your targets a fraction of that money and track them directly. Who wouldn't want to make Facebook or Google "even more awesome?"...*barf*

Harald KJune 19, 2014 6:46 AM

Doing this from the other end would be leaving some small amount of bitcoin in a wallet rather easily accessible on your computer. The theory is that if it is ever compromised, the attackers will just take the easy money (and thus reveal that the machine was compromised) rather than hang around and hope for larger pickings.

I believe comparably small amounts would be sufficient for attackers to take the bait. Both are essentially ways of figuring out the market value of a compromised computer.

JensJune 19, 2014 6:58 AM

Well, now imagine the amount of computers you can infect if you don't pay the people directly (which obviously rises suspicions for some) but use a "program" they need for some revenue program. I'd bet that the percentage will rise enormous if you wrap it inside such program as "get revenues, when you order from amazon / watch certain ads) for which you need to install certain software.

jbmartin6June 19, 2014 7:49 AM

Doesn't seem that interesting to me, it reminds me of those "we gave people a piece of candy in exchange for their password". Well, I would give "my password" for a piece of candy too. That doesn't mean it is a valuable password, or even the correct one. As Schneier mentions, it is pretty hard to know how good or bad the participant's decision was. Aside from now knowing how and where the software was installed, there is also a trust factor. A solicitation on Mechanical Turk is a lot different than some random website or email. Would Amazon leave a malware installation task on there? Perhaps, perhaps not. But that's a pretty brazen channel to use for malware distribution, with a lot of potential tracks back to the criminal. In other words, not necessarily a valid test since the trust level is a lot higher for a task on Amazon than an unknown forum.

Craig CJune 19, 2014 8:18 AM

"Why did the engineer cross the road? ...because the manual said not to, and he wanted to see what would happen." I hope at least some of those clicks were security researchers using Redshirt VMs hoping to analyze new malware.

paulJune 19, 2014 8:21 AM

Mechanical Turk is also a fairly specialized population, since it consists of people with reliable internet access but little other employment, and whose time is typically worth well under $1 an hour.

Evan HarperJune 19, 2014 8:27 AM

For those who don't want to read the whole study to find it: They told participants truly that it was a research study, but they took measures to make this impossible to verify (throwaway personal MTurk account, etc.) At one point in the paper they gloat a little about how the MTurker forum dwellers (who share information all the time, invalidating more than one MTurk study) concluded that the program was surely legitimate because the task paid up honestly and AV software didn't complain, which is totally wrong.

KahomonoJune 19, 2014 9:47 AM

Obviously the thing to do is to accept this task on a LiveCD. Over and over. :)

JoeJune 19, 2014 10:03 AM

I agree with jbmartin6. The study concludes that "it really is
all about the Benjamins" in a "marketplace" where "requesters pay workers...for successfully completing a task".

Reminds of the line from Casablanca when police raid Rick's casino: "I'm shocked, shocked I tell you to find gambling going on here!"

MarcoJune 19, 2014 11:37 AM

I've seen a lot of this in the Facebook "virtual currency" area. Apps like Farmville would require "gold". You could get "2 free gold" by watching an advertisement, or "200 free gold" by installing some trial program on your computer. According to the numbers, plenty of people install junk to get a free purple sheep.

AnuraJune 19, 2014 12:25 PM

When running folding@home 24/7 I saw my power bill go up something like $20+ a month, IIRC - I'd imagine if you could pay people $0.01 per hour to run your distributed computing program, you could save yourself some money while they all lose out. It wouldn't occur to people how much of a difference there is in power consumption between load and idle.

Charlie HarveyJune 19, 2014 1:02 PM

Along similar lines to Kahomono, if it were me I'd just fire up a virtual machine for the purposes of the experiment and take the cash. That way I wouldn't even need to reboot. In fact I'd be more interested to know what the researchers wanted to do to the machine than in getting paid.

SamJune 19, 2014 2:32 PM

@Charlie - if you read the paper, they explicitly check if the executable is running in a VM (at a basic level, red pill + scan for VMware/parallels tools).

Prof. Godel FishbreathJune 19, 2014 5:30 PM

Or it means that the paid users were sure of their anti virus situation, even if it was a false sense of surety.
I have Linux, I would sign up, maybe after doing a fast backup.

AnuraJune 19, 2014 6:20 PM

At $1 I personally wouldn't even bother, even if I knew for a fact it was completely safe.

ChrisJune 19, 2014 10:26 PM

On the "a penny saved is a penny earned" principle, you wouldn't have to pay someone anything, you could offer to save them money. That's what malware infected pirated software. People take risks because they're saving money.

Free's also a powerful word which getting someone to drop their guard. How many free apps do you download for your device & wonder, why does a game require access to my Contact, Location, etc?

DawsJune 20, 2014 1:52 AM

"How many free apps do you download for your device & wonder, why does a game require access to my Contact, Location, etc? "
@chris: I guess that's why I install apps such as XPrivacy on my rooted Android device.

Coyne TibbetsJune 20, 2014 2:46 AM

It's more than just research: It's being done in practice now. You build an app that does some useful little thing like play tic-tac-toe. Then you give it away. People will install it because it gives them something but it's free.

The average person won't worry about the possibility it does something inimical.

MarcoJune 20, 2014 3:53 AM

This is the discover of the hot water. Nothing new to discover in the human behaviour: we do chemiotherapy as cancer treatment...

AspieJune 20, 2014 4:09 AM

Please stare at the black square and ignore the flashing red-green/blue background ...$5...into...the...following...account...number

Mike the goatJune 20, 2014 1:51 PM

Chris: I think it is amazing that people actually bother doing tasks on Mechanical Turk. I believe a study found that a person performing tasks at average pace will earn an average of about $1/hr. Walmart would be a better option for someone hard up.

HermanJune 21, 2014 12:41 AM

So many people pay to use Windows, which is insecure and a soft target for malware, that it is fairly obvious that you don't need to pay people to install malware. They are more than willing to do it for free.

Leon WolfesonJune 21, 2014 1:18 PM

To be fair, I'd quite happily take the cash and run it inside a freshly spun-up virtual machine instance.

Leon WolfesonJune 21, 2014 1:20 PM

Oops, didn't read that they scanned for it :)

(But I suspect they wouldn't get my setup, still, it's not a standard one.)

RhialtoJune 23, 2014 5:22 AM

@ Ernesto Gonzalez • June 19, 2014 6:44 AM

Who wouldn't want to make Facebook or Google "even more awesome?"...*barf*

Facebook and Google already download code onto your computer and you execute it "to make it more awesome". It is called "javascript".

bobJune 23, 2014 8:11 AM

@Mike the goat

I agree, I've never understood it either. It's like those who claim there are people _outside_ the USA! Wake up, sheeple!

Mike the goatJune 23, 2014 6:46 PM

Aspie: suddenly I feel tired and compelled to deposit some money into your account. If only I knew the number.. and your SSN too, please? ;-)

the owlJune 26, 2014 1:56 AM

Leon Wolfeson, your virtual machine still needs a network connection to download the malware. Even using a Sandbox and a read-only image on a disc, upon initiating a network connection your system can be scanned, your router/modem and system hardware identified, your ISP identified, your ISPs hardware and server software identified.

The problem with malware is that it can be crafted to blow your anonymity and broadcast it's route as it is downloaded to your system, though of course you could use someone else's system, or a mobile device using a fake MAC via a free wireless connection near your local free wireless provider (the number of people using default passwd or password for their wireless router is appalling, just don't tell my neighbours that please).

the owlJune 26, 2014 2:01 AM

Amazon provides their new phone that can scan and recognise objects. This "smartphone" could be hacked and used to scan the owners home for any other electronic "smart devices" that can also be compromised.

Smart Fridge, Smart TV, Router/modem/switch identified, any other "smart" phones.

Search device, search default passwords, search exploits...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.