Cybercriminal network Innovative Marketing made headlines in rogue scareware’s heyday. Between its founding in Kyiv, Ukraine, in 2009 and the three years it continued operating, the company reportedly amassed close to US$700 million in revenue.

Today, Innovative Marketing founders, Shaileshkumar P. Jain and Bjorn Daniel Sundin, remain on the Federal Bureau of Investigation (FBI) most wanted list for wire fraud, conspiracy to commit computer fraud, and computer fraud. Anyone who can provide information on the two’s whereabouts stand to gain US$20,000 for their capture.

We sought to find out if the Innovative Marketing rogue scareware products continue to pose a threat more than a decade down the line. Our deep dive revealed these findings:

• 125 unique IP resolutions of the 991 domains publicized as Innovative Marketing indicators of compromise (IoCs), 14 of which were dubbed “dangerous” by various malware engines
• 381 additional domains that shared the IP addresses of the domain IoCs, three of which turned out to be malicious
• 53,950 domains registered recently by the owners of 45 of the email address IoCs

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download the related threat research materials here.

The Starting Point

We started our investigation with 992 domains known to have hosted Innovative Marketing rogue scareware pages throughout its operation. Examples of these are:

• softwareprofit[.]com
• innovativemarketing[.]com
• workhomecenter[.]com
• creditsecretsguide[.]com
• onerateld[.]com
• billingnow[.]com
• computershield[.]com
• virusguard[.]com
• qualitysoftware[.]com
• internetantispy[.]com

Interestingly, despite the outstanding warrant for the company’s founders, the Innovative Marketing site is still up and running according to a screenshot lookup.

We also used 81 registrant email addresses found in the domains’ historical WHOIS records. Most of these were created using free email services, notably Hotmail, Yahoo!, and Gmail.

A Closer Look

We began by subjecting the 991 domain IoCs to Domain Name System (DNS) lookups. That gave us 126 unique IP resolutions. Examples of the IP addresses 191 out of the 991 domain IoCs resolved to are:

• 3[.]19[.]116[.]195
• 3[.]18[.]7[.]81
• 185[.]230[.]63[.]171
• 207[.]148[.]248[.]143
• 54[.]209[.]32[.]212
• 52[.]71[.]57[.]184
• 52[.]128[.]23[.]153
• 34[.]102[.]136[.]180
• 2606[:]4700[:]3034[::]6815[:]602
• 2606[:]4700[:]3031[::]ac43[:]861a
• 104[.]21[.]6[.]2

Malware checks via Threat Intelligence Platform (TIP) revealed that 14 of the 126 IP addresses were dubbed “dangerous” by various malware engines. These are:

• 207[.]148[.]248[.]143
• 34[.]102[.]136[.]180
• 35[.]186[.]238[.]101
• 103[.]224[.]182[.]246
• 15[.]197[.]142[.]173
• 199[.]59[.]243[.]200
• 200[.]58[.]112[.]68
• 216[.]218[.]185[.]162
• 198[.]54[.]117[.]244
• 209[.]141[.]38[.]71
• 107[.]161[.]23[.]204
• 208[.]91[.]197[.]46
• 173[.]239[.]5[.]6
• 217[.]70[.]184[.]38

We then did reverse IP lookups for the 126 IP addresses, which gave us a sample of 381 domains that shared them as hosts. There could be tons more, though. Here are some a few sample connected domains:

• 0—0—0[.]info
• absoluteoutdoorinc[.]com
• bedsteantivirus[.]com
• cheapcomputerrepair[.]com
• gomyhit[.]com
• herbalgeneration[.]com
• newbieadguide[.]com
• res-aeronautica[.]com
• kay4kona[.]com
• direct-billing[.]com

While only three of them—kay4kona[.]com, 002145f8abd4[.]com, and 09876543211234567890[.]com—were dubbed “dangerous” by various malware engines, steering clear of all of them is advised due to their connection to the domain IoCs.

For good measure, we also performed reverse WHOIS lookups on current records only using the email address IoCs as search terms and found that 45 were still actively being used to register thousands of domains, at least 53,950 (results per email address were limited to a maximum of 10,000) to be exact.

Interestingly, six of the additional domains contained security- or antivirus-related strings akin to the ones Innovative Marketing used. Examples include mydiysecurity[.]com and vulcansecurity[.]com. We didn’t subject them to a malware check, though, as most probably belong to domainers, as evidenced by several screenshot lookups made that revealed the domains were parked. Given their connections, however, to a known threat email address, it may be best to avoid accessing or, worse, purchasing any of them.

The Verdict

While we can’t be sure if Innovative Marketing’s malware business remains operational, we do know that its website is still active and both its founders have not been incarcerated.

And given their ties to the domains and email addresses known for being part of the cybercriminal operation, users should avoid accessing the thousands of connected web properties we identified, especially the 14 IP addresses and three domains that TIP dubbed “dangerous.”

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.