Researchers Reveal Prolific Puma’s Underground Link Shortening Service

Link Shortening Service

A menacing actor known as Productive Puma has maintained a low profile and operated an underground link shortening service offered to other threat actors for at least the past four years.

Prolific Puma creates “domain names with a RDGA (Registered domain generation algorithm) and use these domains to provide link shortening services to other malicious actors, helping them avoid detection as they distribute phishing, scams, and malware,” Infoblox SAYS in a new analysis compiled from the Domain Name System (DNS) analytics.

With malicious actors known to use link shorteners for phishing attacks, the adversary plays an important role in the cybercrime supply chain, registering between 35,000 and 75,000 unique domain names since in April 2022. Prolific Puma is also a DNS threat actor for using the DNS infrastructure for nefarious purposes.

A notable aspect of the threat actor’s operation is the use of an American domain registrar and web hosting company named NameSilo for registration and name servers due to its affordability and an API that facilitates bulk registration.

Cybersecurity

Prolific Puma, which does not advertise its shortening service on underground markets, has also been observed resorting to strategic aging to park registered domains for weeks before hosting its service on unknown provider.

“Prolific Puma domains are alphanumeric, pseudo-random, with variable length, usually 3 or 4 characters long, but we have also observed SLD labels up to 7 characters, ” Infoblox explained.

In addition, the threat actor has registered thousands of domains with US top-level domains (usTLD) since May 2023, has been repeatedly using an email address with a reference to the song OCT 33 by a psychedelic soul band called Black Pumas: blackpumaoct33@ukr(.)net.

Link Shortening Service

The real world identity and origins of the Prolific Puma remain unknown to this day. As such, many threat actors are said to be using the offer to lead visitors to phishing and scam sites, CAPTCHA challenges, and even other shortened links created by a different service.

In one instance of a phishing-cum-malware attack documented by Infoblox, victims who clicked on a shortened link were taken to a landing page asking them to provide personal details and pay, and eventually infect their systems with browser plugin malware.

The disclosure comes weeks after the company disclosed another persistent DNS threat actor codenamed Open Tangle which uses a large infrastructure to impersonate the domains of legitimate financial institutions to target consumers for phishing and smishing attacks.

“Prolific Puma shows how DNS can be abused to support criminal activity and remain undetected for years,” it said.

Kopeechka Hacking Tool Floods Online Platforms with Bogus Accounts

The development also follows a new report from Trend Micro, which found that less skilled cybercriminals are using a new tool called Kopechka (means “penny” in Russian) to automate the creation of hundreds of fake social media accounts in seconds.

“The service has been active since the beginning of 2019 and provides quick account registration services for popular social media platforms, including Instagram, Telegram, Facebook, and X (formerly Twitter),” the security researcher said. Cedric Pernet SAYS.

Kopeechka provides two types of different email addresses to help with the mass-registration process: email addresses hosted by 39 domains owned by the threat actor and those hosted by more popular email hosting services such as Gmail, Hotmail, Outlook, Rambler, and Zoho Mail.

Cybersecurity

“Kopeechka never provides access to actual mailboxes,” Pernet explained. “When users ask for mailboxes to create social media accounts, they only get the email address reference and the specific email containing the confirmation code or URL.”

It is suspected that these email addresses have been compromised or created by Kopeechka actors themselves.

Along with online services that include phone number verification to complete registration, Kopeechka allows its customers to choose from 16 different online SMS services, most of them from Russia.

Besides facilitating cybercrime and equipping threat actors to launch full-scale operations, such tools – developed as part of an “as-a-service” business model – promote the professionalization of criminal ecosystem.

“Kopeechka’s services facilitate an easy and cheap way to create accounts online, which helps cybercriminals,” said Pernet.

“While Kopeechka is mainly used for creating multiple accounts, it can also be used by cybercriminals who want to add a level of anonymity to their activities, as they do not need to use any of their own email addresses to create accounts on social media platforms.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment