Before they built an international underworld empire—before they weaseled their way onto millions of computers, before their online enterprise was bringing in hundreds of millions of dollars a year, before they were fugitives wanted by Interpol—Sam Jain, now 41, and Daniel Sundin, 33, were just a couple of garden-variety Internet hustlers. The two, who met around 2001, started out with a series of relatively modest scams and come-ons. Capitalizing on post-9/11 paranoia, Jain sold anti-anthrax gas masks. Exploiting the anxieties of aspiring non-English-speaking immigrants, he helped run a green card lottery site that tricked applicants into paying for an INS form that the government provides for free. Together, the two men sold gray-market or counterfeit versions of popular software. They marketed all these dodgy ventures with a mix of hyperaggressive tactics, including classic blackhat tricks like “browser hijacking” and “typo-squatting.” But Jain and Sundin weren’t technological wizards; they didn’t break into their marks’ computers or steal their credit card numbers. Instead, they were masters of social engineering who got people to hand over their money willingly. The work was lucrative enough that Jain and Sundin could afford to hire programmers, designers, and emarketers. Still, their approach was unfocused—and exhausting.
Then, in August 2003, Jain and Sundin had a breakthrough thanks to the arrival of the so-called Blaster worm. Blaster quickly compromised hundreds of thousands of machines, making it one of the fastest-spreading pieces of malware ever. The worm also prompted an unprecedented consumer panic: Some 40,000 computer users called Microsoft for support during the first four days of the epidemic. Jain and Sundin had built a small empire dedicated to exploiting people’s fears—of bioterrorism, for instance, or deportation. Here was a threat that menaced almost everyone with a PC, which meant a vast potential audience for their manipulative online ad campaigns. Jain and Sundin—now working through a company they called Innovative Marketing Inc., or IMI—merely had to use the fear of computer viruses to sell antivirus software.
Coincidentally, Sundin had already written some firewall software called Computershield. It wasn’t as effective as mainstream antivirus programs, but it didn’t have to be; the genius would be in the sales pitch. After rebranding it WinAntiVirus, IMI began buying pop-up ads that blared fake alerts about problems on users’ hard drives—for example, “You have 284 severe system threats.” These ads prompted customers to download a free trial or pay $39.95 and up for IMI’s subpar software. Once installed, the trial versions pumped yet more ads into the user’s web browser, pestering people to shell out the full price. It was a deeply ironic scheme: Jain and Sundin planned to exploit consumer fears of viruses in order to spread what was, in effect, another virus—and the victims would pay for the privilege.
THE NUMBER OF PHONY ANTIVIRUS PROGRAMS HAS EXPLODED WORLDWIDE
Source: Panda Security
The plan worked. People were so spooked by the Blaster worm, a coworker would later recall, that Jain boasted he could be selling “a block of ice” and still make money. Soon, IMI was pulling in $1 million a month. Jain and Sundin quickly turned their attention away from their other, lesser scams and concentrated on their new cash cow. IMI had found its killer app.
Over the next few years, imitators sprang up. Soon, computer users were besieged by terrifying alerts from all kinds of purported antivirus software vendors. This genre of software, widely called scareware, has become the Internet’s most virulent scourge. By 2009, an average of 35 million computers were being infected by scareware every month, according to a study by software developer Panda Security. “Scareware is still the most promising way of turning compromised machines into cash,” says Dirk Kollberg, a senior threat researcher at security firm Sophos. And until recently, IMI was the Google of scareware, exploding over just a few years from a small group of housebound hackers into an international juggernaut, a sophisticated enterprise with hundreds of employees and offices on four continents. It had telephone support centers in Ohio, Argentina, and India and marketed its products under more than 1,000 different brands and in at least nine languages. From 2002 to 2008, IMI brought in hundreds of millions of dollars in profit.
IMI employees didn’t know each other’s real names—everyone just went by an online nickname.
Unlike other young Internet entrepreneurs who built big businesses at the start of the new millennium, the story of Sam Jain and Daniel Sundin hasn’t been told in fawning profiles or books or in movies directed by David Fincher. Yet in a perverse way, IMI could be considered one of the most remarkable startups of the past decade. This duo’s knack for social engineering has been as brilliant as anything Facebook ever rolled out, and IMI’s nimble, iterative approach to software development and marketing produced innovation on an almost weekly basis. The IMI story apparently isn’t one that its two founders are eager to tell, though; in fact, their whereabouts are unknown and both have warrants out for their arrest. But thanks to a series of lawsuits and criminal complaints filed over the past several years, combined with interviews with former company insiders, it’s possible to reconstruct a picture of how scareware gets made—and how it made multimillionaires out of two misanthropic hucksters.