Cybersecurity researchers from Infoblox have discovered a major link shortening operation that helped cybercriminals evade detection and deliver phishing and malware sites to their targets.
They called the operation Prolific Puma and believe it is likely that multiple threat actors were involved in the work and expansion of the operation.
According to the report, Prolific Puma uses a registered domain generation algorithm (RDGA) to create domain names in bulk. They would then use those domains to offer a link shortening service to other malicious actors.
Years in business
These malicious actors would then create their own phishing and malware pages and use the service to prevent scanners from detecting them as such.
“If we disrupt Prolific Puma, we will disrupt a larger part of the criminal economy,” the researchers said in the report. “Prolific Puma algorithmically generates large amounts of domains, and then they use these domains to generate shortened links for other malicious actors, allowing them to hide their true activity.”
The operation has been active for at least four years, Infoblox further explained, speculating that it might have lasted even longer. After all, the operation wasn’t botched after researchers discovered a malicious landing page, because that’s not the case.
Instead, it was found through DNS analytics. Six months ago, researchers who analyze 70 billion DNS queries per day discovered an RDGA that creates domain names for malicious URL shortening services.
In less than a month, Prolific Puma managed to register thousands of domains, many of them on the US Top Level Domain (usTLD), the researchers found. Since April last year, approximately 75,000 unique domain names have been registered. In early 2023, Prolific Puma registered almost 800 domains in one day.
Most domains have a maximum of four characters, although there are cases of domains with up to seven characters.
How victims end up on these pages is anyone’s guess, though researchers speculate that these are the usual vectors: social media ads, text messages, and the like.