A thriving link-shortening service is providing cyberattackers and scammers with top-level .us domains, helping them make their phishing campaigns just a bit less detectable.
In a report published this week, researchers from Infoblox named the threat actor behind the operation “Prolific Puma.” In the past 18 months, Prolific Puma has generated as many as 75,000 unique domain names, often circumventing regulations to provide seedy criminals with URLs that end in a .us.
But Prolific Puma is providing its customers a lot more than just paint jobs for their dirty links.
“Shortened links offer the bad actor a shorter link for their text message (so it fits in SMS), a hidden destination (so suspect users are more likely to click), and resistance from detection by automated security products (which need to figure out where the links go),” explains Renee Burton, head of threat intelligence at Infoblox. And where companies like Bitly or TinyURL work to prevent malicious abuse of their services, in this case, there’s no such annoyance in the way.
Two Weird Tricks Registrars Don’t Want You to Know
Cybercriminals need domains from which to base their command-and-control (C2) operations, and they need a lot of them if they expect to evade detection for long, as analysts can quickly identify any IP or domain hardcoded into a malware. This is why they use domain generation algorithms (DGAs), creating and cycling through large numbers of potential homes for their misdeeds.
The problem with DGAs is that the majority of pseudo-random URLs they create aren’t actually registered, and return an error message if called upon.
The key to Prolific Puma’s operation is what Infoblox calls the “registered” domain generation algorithm, or RGDA. These take advantage of APIs offered by registrars to create hundreds of thousands of domains, all properly registered, granting cyberattackers more robustness and fault tolerance for their infrastructure.
And they’re not just any domains, either. Prolific Puma has been observed utilizing common top-level domains (TLDs) like .me, .cc, and often .info. Since May 2023, though, more than half of its domains have the .us tag on them.
But .us TLDs are reserved for American citizens and organizations, requiring that claimants publicly disclose certain personal information proving their status. In practice, however, the rules are not always enforced quite so strongly.
Prolific Puma primarily uses the registrar NameSilo, which requires an email, physical address, phone number, and name for .us TLDs. NameSilo doesn’t actually verify this information, so the entire form can be filled out with fake information. What’s more, registrants can use bitcoin to pay for their domains, adding a further level of anonymity to the process.
Policing the Cybercrime Supply Chain
Prolific Puma doesn’t just abuse this lack of oversight to register an average of more than 20 new .us TLD domains per day for cybercriminals. As of Oct. 4, researchers observed it converting its new and existing domains to personal use, using private registration settings, violating the supposed terms of the .us TLD, without any consequence.
It’s clear, then, that fighting cybercrime at this important point in its supply chain begins with domain registrars. But doing so will “require a multiple pronged effort,” Burton says.
“The difficulty for registrars and registries to police abuse comes from both technical and policy challenges,” she explains. “Registrars and registries can use third-party threat intelligence to help them identify suspicious domains and users of their services. Independently, they can run algorithms for anomaly detection in their own registrations. And they can work with cybersecurity advocacy groups like the Anti-Phishing Working Group (APWG) to help inform policy decisions and ensure that privacy considerations are maintained while still ensuring the safety of consumers.”