Infoblox Discovers Shadowy Link Shortening Service Fuelling Cybercrime
Infoblox has recently published a whitepaper reporting a large underground link shortening service, which has been dubbed Prolific Puma. An enigmatic player in the underground world of cybercrime, Prolific Puma has emerged as a central figure in aiding and abetting malicious actors in their endeavors to evade detection. Specializing in the distribution of phishing schemes, scams, and malware, their activities are primarily channeled through text messages, targeting both consumers and potentially enterprises.
This revelation marks a significant milestone in the realm of cybersecurity, as it represents the first comprehensive account of a DNS threat actor operating a large-scale link shortening service, integral to the US$8 trillion annual cybercriminal economy.
This discovery did not originate from the usual malware or phishing sites but emerged through the meticulous analysis of DNS data. Prolific Puma’s impact extends beyond their immediate actions, as blocking them at the DNS layer has the potential to safeguard users from the full spectrum of malicious content they propagate. By disrupting their operations, we can effectively disrupt the cybercriminal supply chain and a larger segment of the criminal economy.
Operating from at least 2020, Prolific Puma leverages the use of RDGAs (Registered Domain Generation Algorithms) to craft domain names, which are subsequently employed as link shorteners. To ensure their activities remain obscured and undetected, these domains find a home on anonymous service providers.
Furthermore, Prolific Puma has raised eyebrows with its rampant abuse of the usTLD, a top-level domain originally reserved for U.S. citizens and organizations, which has become plagued by cybercrime. In a turn of events, they have managed to circumvent transparency requirements for the usTLD, converting nearly 2,000 domains to private registrations since October 4th.
As this underground service provider’s operations continue to evolve, the revelations surrounding Prolific Puma demonstrate how the DNS can be abused to support criminal activity and remain undetected for years. Organizations can thwart such activities by blocking access to suspicious domains with adequate DNS detection and response systems in place.