Massive cybercrime URL shortening service uncovered via DNS data

An character that information researchers telephone Prolific Puma has been providing nexus shortening services to cybercriminals for astatine slightest 4 years while keeping a sufficiently debased floor plan to run undetected.

In little than a month, Prolific Puma has registered thousands of domains, galore connected nan U.S. top-level domain (usTLD), to thief pinch nan transportation of phishing, scams, and malware.

Short URL work for cybercriminals

Researchers from Infoblox, a DNS-focused information vendor that looks astatine 70 cardinal DNS queries daily, first observed Prolific Puma activity six months ago, aft detecting a registered domain procreation algorithm (RDGA) to create nan domain names for nan malicious URL shortening service.

Using specialized DNS detectors, they were capable to way nan malicious web arsenic it evolved and abused nan usTLD to facilitate crime connected nan internet.

Because of nan quality of nexus shortening services, Infoblox could way nan short links but not nan last landing page, contempt detecting a ample number of interconnected domains exhibiting suspicious behavior.

“We yet captured respective instances of shortened links redirecting to last landing pages that were phishing and scam sites” - Infoblox

Some of nan short links from Prolific Puma led straight to nan last destination but others pointed to aggregate redirects, moreover different shortened links, earlier getting to nan landing page.

Infoblox says that location were besides cases wherever accessing nan short nexus took nan personification to a CAPTCHA challenge, apt to protect from automated scans.

Because of this inconsistency successful what Prolific Puma’s short links loaded next, nan researchers judge that aggregate actors are utilizing nan service.

The transportation method for these links besides varies and includes societal media and advertisements but grounds points to matter messages arsenic nan main channel.

Massive operation

The size of nan Prolific Puma cognition arsenic uncovered by Infoblox is impressive. The character registered up to 75,000 unsocial domain names since April 2022.

Looking astatine nan unsocial domains successful the actor’s network, nan researchers saw astatine nan opening of nan twelvemonth a highest of adjacent to 800 domains of up to 4 characters created successful a azygous day.

Prolific Puma domains are dispersed crossed 13 TLDs. Since May this year, though, nan character utilized nan usTLD for much than half of nan full domains created, nan regular mean being 43.

Since mid-October, nan researchers noticed closed to 2,000 domains successful nan usTLD indicating Prolific Puma activity that are down backstage registration protection.

It is worthy mentioning that backstage registrations is not permitted in nan .US namespace under nan existent argumentation and nan registrant is required to supply meticulous and existent information.

Furthermore, registrars person an responsibility to not connection backstage domain registrations to .US domain sanction registrants.

Typically, Prolific Puma domains are alphanumeric, pseudo-random, and alteration successful size, 3 aliases four-character ones being nan astir common. However, nan researchers observed domains arsenic agelong arsenic 7 characters.

In nan past 3 years, nan character utilized hosting chiefly from NameSilo, a inexpensive net domain registrar that is often abused by cybercriminals, that offers an API for bulk registration.

To debar scrutiny and detection, Prolific Puma ages its domains by leaving them inactive aliases parked for a respective weeks. During this period, nan character makes a fewer DNS queries to summation reputation.

When fresh for use, nan character transfers nan domains to a bulletproof hosting provider, paying successful Bitcoin cryptocurrency for a virtual backstage server pinch work pinch a dedicated IP address.

Infoblox recovered that immoderate of these domains are abandoned aft a play but nan DNS grounds still points to nan dedicated IP.

The researchers judge that Prolific Puma only provides nan short nexus work and does not power nan landing pages but do not exclude nan anticipation that nan aforesaid character runs nan full operation.

Below is an illustration of really Prolific Puma's work is utilized successful a run pinch a phishing page asking for credentials and a payment, to yet present a malicious browser plugin.

According to Infoblox, nan character does not advertise its shortening work connected underground markets but it is nan largest and astir dynamic. Using tens of thousands of domain names registered crossed aggregate registrars enables them to alert nether nan radar.

“While information providers whitethorn place and artifact nan last content, without a broader position it is difficult to spot nan afloat scope of nan activity and subordinate nan domains together nether a azygous DNS threat actor” - Infoblox

Infoblox was capable to uncover nan monolithic cognition done algorithms that emblem suspicious aliases malicious domains. Through passive DNS query logs, recently queried, registered, aliases configured domains are assessed and flagged arsenic suspicious aliases malicious if they meet nan criteria for associating them pinch a DNS threat actor.

Uncovering Prolific Puma started pinch automated analytics, which reveled a fewer related domains. When nan institution deployed algorithms for RDGA find earlier this year, domains utilized were identified successful groups. Another algorithm correlated nan domain clusters and attributed them to a azygous DNS threat actor.

The report from Infoblox provides a group of indicators for Prolific Puma activity that includes links shortner hosting IP addresses and domains, redirection and landing pages, and an email reside recovered successful domain registration data.