Thousands of shortened domains registered to carry out cyberattacks and more

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)

Cybersecurity researchers from Infoblox have uncovered a major link-shortening operation that was helping cybercriminals evade detection and deliver phishing and malware sites to their targets.

They dubbed the operation Prolific Puma, and think it’s likely that multiple threat actors were involved in the operation’s work and expansion.

As per the report, Prolific Puma has been using a registered domain generation algorithm (RDGA) to create domain names in bulk. Then, they would use those domains to provide a link-shortening service to other malicious actors.

Years in operation

Those malicious actors would then create their own phishing and malware pages, and use the service to avoid scanners detecting them as such.

“When we disrupt Prolific Puma, we disrupt a larger segment of the criminal economy,” the researchers said in the report. “Prolific Puma generates large volumes of domains algorithmically, and then they use these domains to generate shortened links for other malicious actors, allowing them to hide their true activity.”

The operation has been active for at least four years, Infoblox further explained, speculating that it might have been even longer. After all, the operation was not blown after researchers discovered a malicious landing page - because they haven’t. 

Instead, it was found through DNS analytics. Six months ago, the researchers that analyze 70 billion DNS queries a day detected an RDGA creating domain names for malicious URL shortening services.

In less than a month, Prolific Puma managed to register thousands of domains, many on the U.S. top-level domain (usTLD), the researchers found. Since April last year, some 75,000 unique domain names have been registered. At the start of 2023, Prolific Puma registered almost 800 domains in a single day.

Most of the domains have a maximum of four characters, although there have been instances of domains with up to seven. 

How victims end up on these pages is anyone’s guess, although the researchers speculate it’s the usual vectors: social media advertisements, text messages, and the like.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.