Researchers at Infoblox have discovered a link shortening service called “Prolific Puma” that is being used to facilitate malware and phishing scams [1]. This service operates through newly-registered domains in the US top-level domain [1], typically three to seven characters long [1], and hosted on bulletproof hosting providers [1].

Description

These short domains [1], although they do not host any content, are used to obfuscate the real address of landing pages that attempt to phish users or install malware [1]. It is suspected that scams targeting people on their phones via SMS are involved in promoting these phishing and malware landing pages. Infoblox has found that domains ending in info accounted for the majority of new registrations until May 2023 [1], after which US domains became the most common [1].

The username portion of the email address associated with the service references a song by the Black Pumas [1], and the email address itself is from a Ukrainian provider [1]. Previous malicious domains tied to Prolific Puma were registered through NameCheap to an individual with a Ukrainian surname [1]. Prolific Puma has generated thousands of unique domain names in the past 18 months [2], often bypassing regulations [2].

These shortened links offer advantages to bad actors [2], such as fitting into text messages [2], hiding the destination [2], and evading automated security products [2]. Prolific Puma has also violated the terms of the us TLD by converting domains to personal use without consequences [2].

To combat this, domain registrars need to play a role in fighting cybercrime by using third-party threat intelligence and running anomaly detection algorithms [2]. Collaboration with cybersecurity advocacy groups can also help inform policy decisions while ensuring consumer safety [2].

Conclusion

The use of the Prolific Puma link shortening service to facilitate malware and phishing scams poses significant risks to users. The service’s ability to generate thousands of unique domain names and bypass regulations highlights the need for stronger measures to combat cybercrime.

Domain registrars should take an active role in fighting cybercrime by utilizing third-party threat intelligence and implementing anomaly detection algorithms [2]. Collaboration with cybersecurity advocacy groups can provide valuable insights for policy decisions and enhance consumer safety.

Addressing these challenges will require ongoing efforts to stay ahead of evolving cyber threats and ensure the security of online users.

References

[1] https://vulners.com/krebs/KREBS:97961BF7FF2F646B12929816FAE28545
[2] https://www.darkreading.com/threat-intelligence/prolific-puma-hacker-gives-cybercriminals-access-to-us-domains