Researchers studying cybersecurity at Infoblox, have found something scary and interesting. According to their findings, there is seemingly a link shortening operation that was being used by cybercriminals to hide their identity while deploying dangerous malware to unsuspecting internet users.
The operation, which is called prolific puma, has been apparently active for the better part of four years, and in that duration, has enabled cybercriminals to carry out their nefarious activities. This is how it was done.
Prolific Puma used a registered domain generation algorithm (RDGA) to create domain names in bulk quantity. They took those domain names and provided link shortening services to interested cybercriminals. The cybercriminals would then create their own malware pages and hide them behind these shortened links as threat detectors were not able to flag these shortened links as dangerous. The unsuspecting user would click on these shortened links, which were carefully disguised mind you, and the moment the page opened, the malware would install itself on the user’s computer, and the rest is history.
The way this operation was exposed is rather different. Researchers who were studying DNS queries spotted an RDGA that was generating bulk domains for URL shortening services. The rate at which these domains are being created is actually scary. Studied indicate that in 2023, the operation was churning out 800 unique domains in a day. The domain names in question have 4-7 characters only, and as far as circulation is concerned, although there is no hard evidence, researchers believe that these cybercriminals are resorting to the tried and tested methods such as social media ads, text messages, etc.