October 31, 2023 at 11:29AM
Prolific Puma, an actor known by researchers for providing link shortening services, has been assisting cybercriminals for over four years without attracting attention. The actor has registered thousands of domains, particularly on the US top-level domain, to facilitate phishing, scams, and malware distribution. Prolific Puma’s service involves short links that may lead to multiple redirects or CAPTCHA challenges, indicating the involvement of multiple actors. The actor has registered an impressive number of unique domains, with the majority using the US top-level domain. The report also highlights the actor’s use of private domain registrations, which is not permitted in the .US namespace. Prolific Puma is believed to age domains to avoid detection and primarily uses NameSilo for hosting. While the actor’s shortening service is not advertised on underground markets, it remains the largest and most dynamic. Infoblox was able to uncover Prolific Puma’s operation through algorithms that identify suspicious or malicious domains. The report includes indicators for tracking Prolific Puma’s activity.
From the meeting notes, it appears that there is a security researcher named Prolific Puma who has been providing link shortening services to cybercriminals for at least four years. Prolific Puma has registered thousands of domains, including on the US top-level domain, to facilitate phishing, scams, and malware delivery. Infoblox, a DNS-focused security vendor, has been monitoring and tracking Prolific Puma’s activities for the past six months.
Infoblox has observed that the short links created by Prolific Puma lead to various destinations, including phishing and scam sites. Some links redirect multiple times before reaching the final landing page, and in some cases, users are prompted with CAPTCHA challenges. This inconsistency in link behavior suggests that multiple actors may be using Prolific Puma’s services. Text messages are believed to be the primary channel for delivering these links, although social media and advertisements are also used.
Infoblox has uncovered a massive operation conducted by Prolific Puma, with the actor registering up to 75,000 unique domain names since April 2022. The majority of these domains are registered on the US top-level domain. The actor has used various domain registrars, including NameSilo, PorkBun, NameCheap, and Sav.com. It’s worth noting that private domain registrations are not permitted in the .US namespace, and registrars have an obligation to provide accurate and true information.
Prolific Puma’s domains are typically alphanumeric and vary in length, with three or four-character domains being the most common. The actor has predominantly used NameSilo for hosting, a registrar known for being used by cybercriminals. Prolific Puma ages its domains to avoid detection, leaving them inactive or parked for several weeks before making them active. The actor transfers the domains to bulletproof hosting providers, paying with Bitcoin for a virtual private server with a dedicated IP address.
It is believed that Prolific Puma only provides the short link service and does not control the landing pages, although it is not ruled out that the same actor runs the entire operation. The actor’s service is not advertised on underground markets but is considered the largest and most dynamic.
Infoblox was able to uncover Prolific Puma’s operation through algorithms that flag suspicious or malicious domains. By analyzing passive DNS query logs and using algorithms for domain discovery and correlation, the researchers were able to identify and associate domains with Prolific Puma as a DNS threat actor.
The report from Infoblox includes indicators for Prolific Puma activity, including link shortener hosting IP addresses and domains, redirection and landing pages, as well as an email address found in domain registration data.