‘Prolific Puma’ Hacker Gives Cybercriminals Access to .us Domains

'Prolific Puma' Hacker Gives Cybercriminals Access to .us Domains

October 31, 2023 at 02:03PM

A cyber threat actor known as “Prolific Puma” is using a link-shortening service to provide cybercriminals with .us domains, making their phishing campaigns harder to detect. Prolific Puma has generated over 75,000 unique domains in the past 18 months, evading regulations and providing criminals with shortened links that fit in SMS messages and are resistant to detection. The threat actor takes advantage of a “registered” domain generation algorithm to create properly registered domains, primarily using the registrar NameSilo. Prolific Puma abuses the lack of oversight to register an average of more than 20 new .us domains daily for cybercriminals. Policing this supply chain requires efforts from domain registrars and cyber advocacy groups.

Meeting Notes:
– Researchers from Infoblox named the threat actor behind a link-shortening service that provides cyberattackers and scammers with top-level .us domains “Prolific Puma.”
– Prolific Puma has generated as many as 75,000 unique domain names in the past 18 months, often circumventing regulations to provide seedy criminals with URLs ending in .us.
– Shortened links offer advantages to bad actors such as fitting in SMS, hiding destinations, and resisting detection by security products.
– Prolific Puma’s operation relies on a “registered” domain generation algorithm (RGDA) that takes advantage of APIs offered by registrars to create properly registered domains.
– Prolific Puma primarily uses the registrar NameSilo, which does not enforce the rules for .us TLDs that require personal information verification.
– Prolific Puma abuses this lack of oversight by registering an average of more than 20 new .us TLD domains per day for cybercriminals.
– Prolific Puma is observed converting its new and existing domains to personal use, violating the terms of the .us TLD, without any consequence.
– The fight against cybercrime at this supply chain point starts with domain registrars and requires a multi-pronged effort, including the use of third-party threat intelligence, anomaly detection algorithms, and collaboration with cybersecurity advocacy groups.

Full Article