It's All About The Benjamins: Fair Trade botnets and incentivizing users to ignore security advice
Serge M. Egelman, Nicolas Christin, Timothy Vidas, Jens Grossklags
We examine the cost for an attacker to pay users to execute arbitrary code---potentially malware. We created an Amazon's Mechanical Turk task wherein users were asked to download and run for an hour an executable we wrote. While this program was benign, users were not told what it did, and had no way of knowing it was harmless. Each week, we increased the payment amount. Our goal was to examine whether users would ignore commonly understood security advice (do not run untrusted executables) if there was a direct incentive for them to do so, and how much this incentive would need to be. We observed that even for payments as low as $0.01, 22% of the people who viewed the task ultimately ran our executable. Once increased to $1.00, this proportion increased to 43%. We show that as the price increased, more and more users who understood the risks ultimately ran the code. We conclude that users are generally unopposed to running malware, so long as their incentives exceed their inconvenience.
Financial Cryptography and Data Security '11
February 28-March 4, 2011
behavioral economics, online crime, human experiments
, Christin, N.
, Vidas, T.
and Grossklags, J.
It's All About The Benjamins: Fair Trade botnets and incentivizing users to ignore security advice, Financial Cryptography and Data Security '11, St. Lucia, -1
(Accessed June 3, 2023)