
Stevens created an advertisement on Google AdWords offering users the chance to infect their PC with malware simply by clicking on a link.
The ad stated: 'Is your PC virus-free? Get it infected here!'. The ad was displayed 259,723 times and 409 people clicked on the link.
The site contains no malware, but security experts warned that similar methods are used by hackers to get users to visit sites containing viruses and malware that infect the user's machine.
Stevens ran the ad for six months for around US$23, which means that it cost only six cents per click or per potentially compromised machine.
"I designed my ad to make it suspect, but even then it was accepted by Google without problem and I got no complaints to date, and many users clicked on it," Stevens wrote on his blog.
"Now you may think that they were all stupid Windows users, but there is no way to know what motivated them to click on my ad. I did not submit them to an IQ test."
Lenny Zeltser, a security consultant at Gemini Systems, said: "Perhaps there is no need for attackers to create advanced redirection chains or elaborate deception schemes. As Stevens's experiment confirmed, people will click on anything."
Google has since disapproved and removed the ad, stating that it violates AdWords editorial guidelines.