Traffic exchange is probably one of the oldest types of grey-hat business on the internet. Different companies compete to buy or sell real traffic for your projects. For example, if you need better ranking (SEO) in search engines, more followers on a social network, generate money from your ads, if you are an exploit kit operator, if you need to promote your Bitcoin based Ponzi scheme… Everybody needs traffic and it is not cheap.

A number of different, (very) old groups of actors are still active today. They use more or less creative ways to generate a huge amount of traffic. Sending spam is often the obvious way.

Most of the spam you are receiving daily , such as dating websites or Viagra promotions, is not very sophisticated. Most emails only contain a few words or sentences and a link. The main purpose of these campaigns is to collect traffic and resell it.

However, spam is not the only way to generate traffic. Another lucrative way is to use a botnet. If you find a legal way to make people install your software on their computer, you can then use that software to display ads on victims’ computers. This is typically what we call Adware or Potentially Unwanted Application (PUA). This business model can for example help a developer to earn money even if the software is offered for free, but it can also be abused.

Some Adware operations monetize their traffic by allowing their clients to push whatever software they want on the computer of the Adware victim. This is call Pay-per-Install (PPI).

Plenty of “companies” offer to install any software you want on a specific group of computers in exchange for money. This business, very similar to the illegal install reselling market of botnets like Emotet, is sometimes just a front for malware distribution operations.

This article describes a famous PPI product out there, called InstallCapital. For legal or illegal reasons, real traffic is a huge business and if you think that spam or adware are shady activities then take a seat and enjoy reading about the Pay-per-Install economy.

InstallCapital — In the business since 1999

InstallCapital is a product made by a Swedish company called Wakenet AB. We strongly recommend you read the amazing work of Oliver Devane and Charles Crofford from McAfee in 2018 about Wakenet AB, documenting the business of the company since 1999. Our aim with this article is to show fresh data about InstallCapital and to raise an alert about how important it is to do something about the involved botnets.

How to make money with PPI

InstallCapital is a well-known service on black hat forums. You can easily find multiple tutorials about how to make money with PPI, which are all mentioning InstallCapital.

blackhatforums.com

Different reviews are also available on open forums, explaining which product is more profitable.

After visiting a few forums, you can find years of references to the fact that it’s possible to drop malware via InstallCapital without being blocked by the admins. Based on that, we tried to retrieve the actual payloads delivered by software leveraging PPI.

Where is InstallCapital in 2020?

InstallCapital has not evolved much since 2018. It is still possible to find new samples on The Pirate Bay on a daily basis, or on any other website distributing fake cracks and keygens.