Prolific Puma protects pernicious phishing plotters

We're all familiar with link shortening services, those handy tools that allow you to shrink URLs down to a manageable size to make them easier to share.

Of course in the past these have been used for nefarious purposes too, hiding the true nature of a link to get people to click on phishing or malware messages. Now though researchers at Infoblox have uncovered something even more sinister, the operation of a shady link shortening service made especially for cybercrime.

Called 'Prolific Puma', the service creates domain names using a registered domain generation algorithm (RDGA) and uses these to provide a link shortening service to other malicious actors, helping them evade detection while they distribute phishing, scams, and malware.

Researchers uncovered the threat via DNS analytics. Prolific Puma is remarkable because it has been able to facilitate malicious activities for over 18 months and gone unnoticed by the security industry.

Dr Renee Burton of the Infoblox Threat Intelligence Group writes on the company's blog, "Prolific Puma doesn't openly advertise their services. For some period of time, we knew we were tracking a link shortening service, but it was unclear what they were delivering and for whom they were providing the service. The tricky thing about investigating link shorteners is that without a full URL, it is not possible to determine the final landing page. Our detectors had found a large set of interconnected domains with suspicious behavior and no public presence, but we were challenged to conclude how they were being leveraged."

Prolific Puma isn't the only illicit link shortening service Infoblox has discovered, but it is the largest and the most dynamic. Since April 2022, it has registered between 35,000 and 75,000 unique domain names.

You can find out more on the Infoblox blog.

Image credit: Jirsak/depositphotos.com