Want to hijack people's PCs? Pay them a few cents

Apparently, hackers wanting to control PCs are wasting their time with elaborate botnets and vulnerability exploits -- all they may really need is some pocket change. A study found that between 22 to 43 percent of people were willing to install unknown software on their PCs in return for payments ranging from a penny to a dollar, even when their OS flagged the app as a potential threat that required permission to run.

While you might think that respondents would naturally be a bit suspicious, that wasn't usually the case. As researcher Nicolas Christin notes, just 17 people out of 965 were running virtual machines that limited the possible damage; only one person went in fully expecting trouble, according to exit surveys.

It's no surprise that you can get someone to compromise security if you say the right things. Just ask Kevin Mitnick, who breached networks by getting logins from overly trusting workers. However, the study also suggests that it would make more financial sense for hackers to pay targets directly rather than to pay for a botnet. Since people don't seem to attach much monetary value to their security, criminals could pay roughly what they do now to steal data while avoiding the use of unreliable bots and equally sketchy bot sellers.

The study isn't a big one, so it's difficult to know if the results would be consistent on a larger scale. Also, people looking at tasks in Mechanical Turk are already eager for money; it may be tougher to pay for control of a PC when the offer comes out of the blue. Even if the voluntary infections would be lower in practice, though, the finding is a friendly reminder to always treat unfamiliar code with caution, no matter how much profit you'll make by installing it.

Posted in: