Pay-per-install (PPI) businesses and affiliate networks made for a booming cybercriminal underground market from 2008 to 2013. Buoyed by the proliferation of fake antivirus (FakeAV) peddlers, operators made staggering profits from the sale of rogue security software.

Given the recent advancements in the cybersecurity industry and more effective anti-malware solutions and security strategies, though, how have former FakeAV adapted? WhoisXML API threat researcher Dancho Danchev sought to find out.

Danchev’s in-depth analysis of 46 email addresses connected to major PPI and affiliate network business owners resulted in the discovery of:

• Close to 110,000 domains containing the email addresses identified as indicators of compromise (IoCs) in their WHOIS records registered between 1993 and 2022
• Approximately 0.5% of the possibly connected domains were dubbed “malicious” by various malware engines
• More than 25,100 unique IP addresses to which the domains resolved
• Approximately 3.6% of the IP resolutions were identified as malware hosts

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Analysis and Findings

Danchev began by compiling a list of email addresses known to be connected to PPI and affiliate network operators between 2008 and 2013 from open source intelligence (OSINT) sources. He amassed 47 email addresses. Using these as search terms for advanced reverse WHOIS searches led to the discovery of 109,910 domains created between 1993 and 2022.

While we expected to uncover domains registered before and during the perpetrators’ operation period, it was quite interesting to note that even more web properties have been created after 2013 using the email addresses. The PPI and affiliate network operators may still have been in business after 2013.

A bulk Threat Intelligence Platform (TIP) malware check for 10% of the total number of domains showed that 51 have been tagged “malicious” by various malware engines.

DNS lookups for the domain artifacts revealed that they resolved to 25,101 unique IP addresses spread across 66 countries led by the U.S., Germany, Hong Kong, Canada, Australia, the Netherlands, Ireland, South Africa, China, and the U.K.

Malware checks for 10% of the identified IP hosts showed that 90 of them were malicious. While a good number of these dangerous web properties are already unreachable, for sale, or led to error pages, 10 remained active, hosting live content, including gambling-related and what look to be either personal blogs or business pages.

Concluding Thoughts

While the popularity of the PPI and affiliate network business model may have waned after 2013, their owners may still be active given that their known email addresses and the domains and IP addresses these are affiliated with remain in use.

The simplest act of clicking the links identified as malware hosts could result in system infection, which could lead to operational downtime. Things get worse if users log in and lose their personally identifiable information (PII) to cybercriminals.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.