“Prolific Puma” Created 75k Unique Domain Names Since April 2022 Used for Scams

SANTA CLARA, CA – Researchers from security vendor Infoblox have uncovered an actor known as “Prolific Puma” that has been revealed as having provided link shortening services for countless cyber criminals for a span of time of at least four years or longer, an act that has likely been responsible for an immense number of scams targeting innocent people. 

As an example of how Prolific Puma lives up to the “prolific” part of their name, the actor reportedly registers thousands of domains on the U.S. top-level domain (usTLD) every month – having created 75,000 unique domain names since April 2022 – which cybercriminals then utilize to assist with spreading phishing, cyber-scams, and malware. 

Shortened links, such as those from bit.ly, make it easy to type in a web address quickly but difficult to determine where the web browser will actually take you. Criminals often utilize shortened URLs to direct victims to phishing sites or initiate a download of malicious software onto their device. 

Infoblox notes that they first came across Prolific Puma approximately 6 months ago, having been alerted to their activity after detecting a registered domain generation algorithm (RDGA) that they said was utilized to create domain names for their link shortening service. From there, Infoblox were able to track down Prolific Puma’s network utilizing DNS detectors, observing it grow and evolve as it assisted more and more individuals and organizations to commit internet-based crimes. 

What is a DGA and/or RDGA?

DGAs are algorithms that typically reside within the malware distributed by threat actors. These algorithms are programmed to generate any number of pseudorandom domain names, and the malware cycles through them to find one that enables it to communicate with the attacker’s C2. This allows for the attacker to evade detection and blocking mechanisms by offering alternative domains that can quickly replace any that may be deemed malicious or blocklisted. Before the invention of DGAs, IP addresses or domain names were hardcoded into the malware and were quickly thwarted once the malware was discovered..

While some of the links created by Prolific Puma lead directly to a specific page, many instead weave a complex series of redirects – some of which utilize shortened links themselves – before finally landing on their shady final destination. 

“We eventually captured several instances of shortened links redirecting to final landing pages that were phishing and scam sites,” Infoblox said, stating that it is believed that multiple actors were using Prolific Puma’s service due to the inconsistency in what the shortened links would lead to. 

The shortened links were delivered via a variety of methods, spanning e-mail, social media, advertisements, and even text messages. In order to keep a low profile and avoid detection, Prolific Puma would often allow their newly created domains to sit dormant for several weeks while making several DNS queries to grow their reputation.