“Prolific Puma” Created 75k Unique Domain Names Since April 2022 Used for Scams

1 year ago 66
YOUR AD HERE

SANTA CLARA, CA – Researchers from security vendor Infoblox have uncovered an actor known as “Prolific Puma” that has been revealed as having provided link shortening services for countless cyber criminals for a span of time of at least four years or longer, an act that has likely been responsible for an immense number of scams targeting innocent people. 

As an example of how Prolific Puma lives up to the “prolific” part of their name, the actor reportedly registers thousands of domains on the U.S. top-level domain (usTLD) every month – having created 75,000 unique domain names since April 2022 – which cybercriminals then utilize to assist with spreading phishing, cyber-scams, and malware. 

Shortened links, such as those from bit.ly, make it easy to type in a web address quickly but difficult to determine where the web browser will actually take you. Criminals often utilize shortened URLs to direct victims to phishing sites or initiate a download of malicious software onto their device. 

Infoblox notes that they first came across Prolific Puma approximately 6 months ago, having been alerted to their activity after detecting a registered domain generation algorithm (RDGA) that they said was utilized to create domain names for their link shortening service. From there, Infoblox were able to track down Prolific Puma’s network utilizing DNS detectors, observing it grow and evolve as it assisted more and more individuals and organizations to commit internet-based crimes. 

What is a DGA and/or RDGA?

DGAs are algorithms that typically reside within the malware distributed by threat actors. These algorithms are programmed to generate any number of pseudorandom domain names, and the malware cycles through them to find one that enables it to communicate with the attacker’s C2. This allows for the attacker to evade detection and blocking mechanisms by offering alternative domains that can quickly replace any that may be deemed malicious or blocklisted. Before the invention of DGAs, IP addresses or domain names were hardcoded into the malware and were quickly thwarted once the malware was discovered..

Source: https://blogs.infoblox.com/cyber-threat-intelligence/rdgas-the-new-face-of-dgas/

While some of the links created by Prolific Puma lead directly to a specific page, many instead weave a complex series of redirects – some of which utilize shortened links themselves – before finally landing on their shady final destination. 

Meet "Prolific Puma," the secretive threat actor behind a dangerous link shortening service with thousands of malicious domains used for phishing and #malware distribution.

Learn how this operation evades detection: https://t.co/qWRxtUEfy9#cybersecurity #hacking

— The Hacker News (@TheHackersNews) November 1, 2023

“We eventually captured several instances of shortened links redirecting to final landing pages that were phishing and scam sites,” Infoblox said, stating that it is believed that multiple actors were using Prolific Puma’s service due to the inconsistency in what the shortened links would lead to. 

Shenanigans like this, a new (kinda novel) twist on the age-old DGA problem, make an increasingly strong case for domain allowlisting.

There are ways to do this balancing user needs with security concerns, and the friction is worth it for high-risk orgs.https://t.co/Wq7QnPAcND

— Keith (@kwm) November 1, 2023

The shortened links were delivered via a variety of methods, spanning e-mail, social media, advertisements, and even text messages. In order to keep a low profile and avoid detection, Prolific Puma would often allow their newly created domains to sit dormant for several weeks while making several DNS queries to grow their reputation.

The post “Prolific Puma” Created 75k Unique Domain Names Since April 2022 Used for Scams first appeared on Strategic Revenue - Domain and Internet News.
Read Entire Article