A massive cybercrime operation providing URL shortening services to cybercriminals has been exposed by security researchers. Operating under the pseudonym “Prolific Puma,” this actor has managed to remain undetected for over four years while registering thousands of domains, many of them on the U.S. top-level domain (usTLD), facilitating the distribution of phishing, scams, and malware. The research team at Infoblox, a DNS-focused security vendor, first detected Prolific Puma’s activities six months ago, utilizing a registered domain generation algorithm (RDGA) to create malicious URL shortening services.
While Infoblox was able to track the short links created by Prolific Puma, the final landing pages remained elusive, despite encountering numerous interconnected domains exhibiting suspicious behavior. Some of the short links led directly to malicious destinations, while others involved multiple redirects, making their tracking more challenging. The delivery methods for these links vary, including social media and advertisements, with text messages appearing as the primary channel.
Prolific Puma’s operation is truly extensive, with up to 75,000 unique domain names registered since April 2022, and domains spanning across 13 top-level domains (TLDs). The usTLD, in particular, was heavily utilized, indicating the scale of this cybercrime network. The pseudonymous actor mainly uses NameSilo, a low-cost domain registrar often abused by cybercriminals, and employs tactics to evade detection, such as leaving domains inactive before transferring them to bulletproof hosting providers.
This discovery, facilitated by algorithms that identify suspicious or malicious domains, sheds light on a massive cybercrime operation that offers URL shortening services to malicious actors. The report from Infoblox provides indicators of Prolific Puma’s activity, including information on IP addresses, domains, redirection and landing pages, and email addresses found in domain registration data.