Prolific Puma Hacker Gives Cybercriminals Access to .us Domains

  /     /     /  
Publicated : 23/11/2024   Category : security


Prolific Puma Hacker Gives Cybercriminals Access to .us Domains


Cybercriminals are upping their phishing with shortened links and showing that coveted, regulated top-level domains arent as exclusive as youd think.



A thriving link-shortening service is providing cyberattackers and scammers with top-level .us domains, helping them make their phishing campaigns just a bit less detectable.
In
a report published this week
, researchers from Infoblox named the threat actor behind the operation Prolific Puma. In the past 18 months, Prolific Puma has generated as many as 75,000 unique domain names, often circumventing regulations to provide seedy criminals with URLs that end in a
.
us.
But Prolific Puma is providing its customers a lot more than just paint jobs for their dirty links.
Shortened links offer the bad actor a shorter link for their text message (so it fits in SMS), a hidden destination (so suspect users are more likely to click), and resistance from detection by automated security products (which need to figure out where the links go), explains Renee Burton, head of threat intelligence at Infoblox. And where companies like Bitly or TinyURL work to prevent malicious abuse of their services, in this case, theres no such annoyance in the way.
Cybercriminals need domains from which to base their command-and-control (C2) operations, and they need a lot of them if they expect to evade detection for long, as analysts can quickly identify any IP or domain hardcoded into a malware. This is why they use
domain generation algorithms (DGAs)
, creating and cycling through large numbers of potential homes for their misdeeds.
The problem with DGAs is that the majority of pseudo-random URLs they create arent actually registered, and return an error message if called upon.
The key to Prolific Pumas operation is what Infoblox calls the registered domain generation algorithm, or RGDA. These take advantage of APIs offered by registrars to create hundreds of thousands of domains, all properly registered, granting cyberattackers more robustness and fault tolerance for their infrastructure.
And theyre not just any domains, either. Prolific Puma has been observed utilizing common top-level domains (TLDs) like .me, .cc, and often .info
.
Since May 2023, though, more than half of its domains have the .us tag on them.
But .us TLDs are
reserved for American citizens and organizations
, requiring that claimants publicly disclose certain personal information proving their status. In practice, however, the rules are not always enforced quite so strongly.
Prolific Puma primarily uses the registrar NameSilo, which requires an email, physical address, phone number, and name for .us TLDs. NameSilo doesnt actually verify this information, so the entire form can be filled out with fake information. Whats more, registrants can use bitcoin to pay for their domains, adding a further level of anonymity to the process.
Prolific Puma doesnt just abuse this lack of oversight to register an average of more than 20 new .us TLD domains per day for cybercriminals. As of Oct. 4, researchers observed it converting its new and existing domains to personal use, using private registration settings, violating the supposed terms of the .us TLD, without any consequence.
Its clear, then, that fighting cybercrime at this important point in its supply chain
begins with domain registrars
. But doing so will require a multiple pronged effort, Burton says.
The difficulty for registrars and registries to police abuse comes from both technical and policy challenges, she explains. Registrars and registries can use third-party threat intelligence to help them identify suspicious domains and users of their services. Independently, they can run algorithms for anomaly detection in their own registrations. And they can work with cybersecurity advocacy groups like the Anti-Phishing Working Group (APWG) to help inform policy decisions and ensure that privacy considerations are maintained while still ensuring the safety of consumers.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Prolific Puma Hacker Gives Cybercriminals Access to .us Domains