Hackers can buy their way into an average person’s computer for just a few cents, a new study says.
The promise of pocket change was enough incentive to make people download and execute unknown code on their computers, researcher Nicolas Christin at Carnegie Mellon University revealed. And this code could potentially take over their computers and use it as a slave.
“We asked users at home to download and run an executable [program] we wrote without being told what it did and without any way of knowing it was harmless,” explained Christin. “Our goal was to examine whether users would ignore common security advice… if there was a direct incentive.”
Using Amazon’s Mechanical Turk software marketplace, they promoted their “Distributed Computing Client” that said users would “get paid to do nothing” at a range of $0.01 to $1. You simply had to run the downloaded software for one hour and enter a code that enabled payment.
Even after users passed an explicit warning noting that the software could be dangerous, as many as 43 percent of people ran the opaque code for a buck.
A post-download survey showed that just 17 out of 965 users did anything to limit the damage that the potentially malicious code could damage and only one actually expected to run into trouble with the code.