Home / Industry

What Is the Current State of Malicious PPI Businesses and Affiliate Networks?

Pay-per-install (PPI) businesses and affiliate networks made for a booming cybercriminal underground market from 2008 to 2013. Buoyed by the proliferation of fake antivirus (FakeAV) peddlers, operators made staggering profits from the sale of rogue security software.

Given the recent advancements in the cybersecurity industry and more effective anti-malware solutions and security strategies, though, how have former FakeAV adapted? WhoisXML API threat researcher Dancho Danchev sought to find out.

Danchev’s in-depth analysis of 46 email addresses connected to major PPI and affiliate network business owners resulted in the discovery of:

  • Close to 110,000 domains containing the email addresses identified as indicators of compromise (IoCs) in their WHOIS records registered between 1993 and 2022
  • Approximately 0.5% of the possibly connected domains were dubbed “malicious” by various malware engines
  • More than 25,100 unique IP addresses to which the domains resolved
  • Approximately 3.6% of the IP resolutions were identified as malware hosts

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Analysis and Findings

Danchev began by compiling a list of email addresses known to be connected to PPI and affiliate network operators between 2008 and 2013 from open source intelligence (OSINT) sources. He amassed 47 email addresses. Using these as search terms for advanced reverse WHOIS searches led to the discovery of 109,910 domains created between 1993 and 2022.

While we expected to uncover domains registered before and during the perpetrators’ operation period, it was quite interesting to note that even more web properties have been created after 2013 using the email addresses. The PPI and affiliate network operators may still have been in business after 2013.

A bulk Threat Intelligence Platform (TIP) malware check for 10% of the total number of domains showed that 51 have been tagged “malicious” by various malware engines.

DNS lookups for the domain artifacts revealed that they resolved to 25,101 unique IP addresses spread across 66 countries led by the U.S., Germany, Hong Kong, Canada, Australia, the Netherlands, Ireland, South Africa, China, and the U.K.

Malware checks for 10% of the identified IP hosts showed that 90 of them were malicious. While a good number of these dangerous web properties are already unreachable, for sale, or led to error pages, 10 remained active, hosting live content, including gambling-related and what look to be either personal blogs or business pages.

Concluding Thoughts

While the popularity of the PPI and affiliate network business model may have waned after 2013, their owners may still be active given that their known email addresses and the domains and IP addresses these are affiliated with remain in use.

The simplest act of clicking the links identified as malware hosts could result in system infection, which could lead to operational downtime. Things get worse if users log in and lose their personally identifiable information (PII) to cybercriminals.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix


Sponsored byVerisign