Malicious PPI Businesses and Affiliate Networks | WhoisXML API

Threat Reports

The Current State of Malicious PPI Businesses and Affiliate Networks

Pay-per-install (PPI) and affiliate networks, which made headlines between 2008 and 2013, may not entirely be gone. Research by WhoisXML API threat researcher Dancho Danchev revealed that some of the domains registered using email addresses belonging to their operators remain active to this day.

Danchev’s deep dive into the threat revealed:

  • Close to 110,000 domains containing the email addresses identified as indicators of compromise (IoCs) in their WHOIS records registered between 1993 and 2022
  • Approximately 0.5% of the possibly connected domains were dubbed “malicious” by various malware engines
  • More than 25,100 unique IP addresses to which the domains resolved
  • Approximately 3.6% of the IP resolutions were identified as malware hosts

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

Try our WhoisXML API for free
Get started