- Security researchers at Infoblox have uncovered Prolific Puma’s malicious URL-shortening operations for other cybercriminals.
- The threat actor has been stealthily operating for more than four, serving cybercriminals engaged in phishing and malware delivery.
- Prolific Puma is a significant part of the cybercriminal supply chain.
A week after discovering the persistent DNS threat actor Open Tangle, security researchers at Infoblox have uncovered an old but unknown threat actor more than four years after it commenced malicious operations. Called Prolific Puma, the actor has been stealthily providing URL-shortening services for malware and phishing scams conducted by other cybercriminals.
Prolific Puma is a domain name server (DNS) threat actor facilitating numerous downstream malicious operations, thus making it a significant part of the $8 trillion cybercrime economy, said Infoblox, a networking-focused cybersecurity company.
Infoblox noted, “Prolific Puma is remarkable because they have been able to facilitate malicious activities for over 18 months and have gone unnoticed by the security industry. With a massive collection of domain names, they are able to distribute malicious traffic and evade detection.”
Most unique domain names registered were from the United States. Krebs on Security recently pointed out that U.S. domains consistently feature among the most used in phishing attacks in the year past.
“This is remarkable because, according to the usTLD Nexus Requirements Policy, only U.S. citizens, or U.S.-affiliated businesses are eligible to register domains in it,” Infoblox wrote. “Moreover, the usTLD requires transparency; no domain names may be registered privately. As a result, the email address, name, street address, and phone number associated with the domain are publicly available. While this might seem a likely deterrent to crime, it has not been effective; the usTLD is well-known for abuse.”
Prolific Puma leverages the name NameSilo to register as a .us domain using fake, unverified details and pays for them using Bitcoin.
See More: Battling Phishing and Business Email Compromise Attacks
Even though Prolific Puma has been active for over four years, Infoblox first noticed its activity only six months ago using a registered domain generation algorithm (RDGA) detector. The company has since been tracking Prolific Puma, a name the company bestowed on the actor because of its rapid expansion and its consistent use of an email address referencing the song October 33 by the band Black Pumas.
Role of Prolific Puma in the Phishing Supply Chain
Prolific Puma generates shortened three to seven-character-long alphanumeric, pseudo-random URLs. And since the threat actor uses RDGA, cybercriminals can evade detection and become more successful in phishing by leveraging actual registered domains, thus eliminating chances of error in command-and-control (C2) operations, which is a major drawback in using domain generation algorithms (DGAs).
A phishing attack uses a shortened URL from Prolific Puma, which obfuscates the actual destination. Targets are directed to malicious landing pages where they may be tricked into divulging sensitive information. It can also serve as a delivery point for malware.
Here’s what a phishing attack using a shortened Prolific Puma URL looks like:
Since April 2022, Prolific Puma has registered between 35,000 and 75,000 unique domain names, peaking at 800 domains created in one day. The table below shows some examples of domains registered by Prolific Puma on different TLDs containing three to four-character-long domain labels.
James McQuiggan, security awareness advocate at KnowBe4, told Spiceworks, “Organizations want to ensure they invest in advanced DNS monitoring and anti-phishing tools, and to protect the users, provide frequent cybersecurity awareness training to recognize and combat these threats. Users can use link preview tools or URL un-shortening services to reveal the destination URL before clicking. They should also hover over the link to see where it leads and check the URL for misspellings or other anomalies.”
How can RDGA-assisted phishing be stopped? Share with us on LinkedIn, X, or Facebook. We’d love to hear from you!
Image source: Shutterstock