SYDNEY, 1 November 2023 – Halloween might be the spookiest time of the year, but threat actors are doing frightening things on the internet every day. In the past month we have introduced two terms: Domain Name System (DNS) threat actors and RDGA (registered domain generation algorithm). We also gave a taste of one type of DNS threat actor, the persistent phisher, through an exposé of Open Tangle.
Today we are introducing the second actor in this series, Prolific Puma. For four years, maybe longer, Prolific Puma has operated in the shadows, unrecognised by defenders. While we don’t know their origin story, we can detect Prolific Puma through DNS and get a glimpse into its character via its domain name registration choices.
The cybercrime economy is the world’s third largest, with an estimated $8 trillion value in 2023, and Prolific Puma is part of the supply chain.1 It creates domain names with an RDGA and use these domains to provide a link shortening service to other malicious actors, helping them evade detection while they distribute phishing, scams, and malware. When we disrupt Prolific Puma, we disrupt a larger segment of the criminal economy.
To our knowledge, this paper is the first description of a large underground link shortening service. Moreover, the actor was discovered not from malware or phishing sites, but from DNS analytics. Prolific Puma is remarkable because it has been able to facilitate malicious activities for over 18 months and has gone unnoticed by the security industry. With a massive collection of domain names, it is able to distribute malicious traffic and evade detection.
This discovery demonstrates the power of using DNS and domain registration data not only to detect suspicious activity, but to bring that information together into a consolidated view of a DNS threat actor. While we were able to detect and track the Prolific Puma via DNS, its story highlights the challenges faced by domain registrars and registries to control abuse. When actors are distanced from the actual crime, policies can hinder the ability to identify and takedown the enabling domains.
We first noticed Prolific Puma domains six months ago through an RDGA detector. Since then, we have developed a better understanding of its activity using specialised DNS detectors to track the network as it evolves. In the sections that follow, we will discuss the Prolific Puma link shortening service, how it registers and hosts domains, its abuse of the us top level domain (usTLD), and the role it plays in facilitating crime on the internet. For the purpose of this publication, we intentionally focus on the actor and their use of DNS, rather than the campaigns that use their services. We provide one detailed example of a campaign conducted using Prolific Puma infrastructure, which led to both phishing the user and delivering browser-based malware.
While legitimate users will create a simple shortened link to share, a malicious actor may use multiple layers of redirection before the final landing page.
Malicious actors are known to abuse link shorteners for phishing.3 In the most publicised cases, however, the link shorteners are well-known, publicly available services including TinyURL, BitLy, and Google. This abuse is so rampant that marketing firm Rebrandly recommends that legitimate companies avoid using popular shorteners in their emails.4
Prolific Puma doesn’t openly advertise its services. For some period of time, we knew we were tracking a link-shortening service, but it was unclear what it was delivering and for whom it was providing the service. The tricky thing about investigating link shorteners is that without a full URL, it is not possible to determine the final landing page. Our detectors had found a large set of interconnected domains with suspicious behaviour and no public presence, but we were challenged to conclude how they were being leveraged.
We eventually captured several instances of shortened links redirecting to final landing pages that were phishing and scam sites. Interestingly, the sequence of redirections to the final page varied widely. In some cases, the shortened links led directly to the content.5 In others, multiple layers of redirection occurred before the final landing page.6 We also saw Prolific Puma shortened links that were redirected to another shortened link created by a different service.
In some cases, the shortened link led to a CAPTCHA challenge.8 We also found reports that Prolific Puma links were sent via SMS text messages with fake Amazon delivery notifications as early as January 2020.9 The variance in how the links were handled and the content delivered, makes it most likely that Prolific Puma is providing a service to multiple actors. Evidence suggests that the shortened links are primarily delivered to victims through text messages, but they could be used in other contexts, e.g., social media and advertisements.
Prolific Puma is not the only illicit link shortening service that we have discovered, but it is the largest and the most dynamic. We have not found any legitimate content served through its shortener. Later in this report we detail a specific example of a shortened link that leads to phishing for user information, a scam payment, and the distribution of browser malware.
As a service provider within the cybercrime ecosystem, Prolific Puma helps other malicious actors evade detection, a tactic included in the enterprise MITRE ATT&CK framework.10 But, its indirect role in the delivery of phishing, scams, and malware to consumers also helps them evade detection. While security providers may identify and block the final content, without a broader view it is difficult to see the full scope of the activity and associate the domains together under a single DNS threat actor. As we’ll see next, we are able to do this through DNS analytics.
Detection and Domain Name Characteristics
In order to provide original intelligence for Infoblox DNS detection and response products in the cloud and on-prem, we have designed a large corpus of independent algorithms to detect suspicious and malicious domains, as well as related IP addresses and other DNS resources. Through aggregation of passive DNS (pDNS) query logs and other data sources, we run a series of analytics on a collection of newly queried, registered, or configured domains. These analytics independently characterise the domains and range from flagging a domain as suspicious to assigning it to a DNS threat actor.
The discovery of Prolific Puma followed a path common to many of the DNS threat actors we internally name and track. From our automated analytics, some related domains were first labelled individually as suspicious. This adjudication allowed the domains to be blocked in our DNS recursive resolvers to protect customers, but did not necessarily capture the full breadth of activity and did not correlate the domains to a single actor. When we deployed algorithms for RDGA discovery in Spring 2023, the Prolific Puma domains began to be identified in groups. These groups were also automatically determined, but use statistical methods that ensure a high degree of confidence that the RDGA domains are registered by the same DNS threat actor. Finally, another algorithm identified outlier behaviour in IP resolutions and correlated the individual RDGA clusters. The sheer size of the activity raised the profile of this particular DNS threat actor for our human-in-the-loop research and we designed specialised DNS fingerprints to track them. In the remainder of this section, we’ll share details about the Prolific Puma domain name characteristics and features that identify them.
Because the connection between the Prolific Puma domains and the final landing pages is indirect, the actor has some protection against discovery. But they also fortify their ability to persist and remain unnoticed through the registration of a large number of domains. Malicious traffic gets divided across these domains at fairly low volumes. Over time, the domains may even gain a reputation as being ‘good’ through strategic aging, a technique used by Prolific Puma that we will detail more later in this paper.
Prolific Puma controls one of the largest networks we track. Since April 2022, it has registered between 35,000 and 75,000 unique domain names. Figure 3 shows the number of unique domain names registered per day using three or four long domain labels. As we recently reported, RDGAs have increasingly replaced traditional DGAs and offer new challenges to defenders. The use of this technique allows them to easily automate their operations for scale; Prolific Puma domains are among the thousands of new domains Infoblox detects daily that are generated by an RDGA.
Prolific Puma uses NameSilo as its domain name registrar and tends to strategically age its domains before hosting its service with anonymous providers. Despite a lack of clear relation to the United States, Prolific Puma consistently abuses the top-level domain (usTLD), a TLD intended to be reserved for U.S. citizens and organisations. Prolific Puma is known to register both new domains and dropped domains. As an example, 3ty[.]us was previously used by a different actor in June 2022 for Facebook messenger phishing campaigns and was then registered by Prolific Puma after the registration lapsed in July 2023.
Prolific Puma domains are alphanumeric, pseudo-random, with variable length, typically 3 or 4 characters long, but we have also observed SLD labels as long as seven characters. The domains are registered on 13 TLDs that are frequently abused by malicious actors, including: info, us, site, in, link, me, cc, website, life, xyz, club, buzz, and best. The info TLD accounted for the bulk of domains until May 2023. Since then, the actor has used the usTLD for approximately 55% of the total domains they created. We observe 43 new domains, on average, every day since May 2023.
Over the last 18 months, Prolific Puma has primarily used NameSilo for registration and name servers. NameSilo, a cheap domain name and hosting provider, is frequently abused by malicious actors. Aside from affordability, it offers an API, as do many registrars, which facilitates bulk registration by both legitimate users and criminals. To register a domain with NameSilo you need only an email address and a method of payment. However, to configure the domain for use, a name and physical address are required. Domains that are registered but unconfigured are parked; the IP address returned through DNS belongs to SEDO Gmbh and is part of the premium SEDO Multi-Listing Service offered to registrars.
NameSilo is a highly abused registrar according to the Infoblox reputation algorithm. We currently rate the risk of domains registered with NameSilo as a 7 on a scale of 0 to 10, where 10 is considered extremely high risk and 5 is average. In addition to TLDs, we can also apply our reputation algorithm to name servers. Prolific Puma uses the default name servers for NameSilo, which are within the dnsowl[.]com domain.11 Our algorithm currently rates the risk of dnsowl[.]com name servers as a 6, which is moderate but slightly elevated when compared to all other known name servers.
While it is not rare for DNS threat actors to use a single registrar for its operations, it is somewhat uncommon; as such, the use of a single registrar is a feature in our taxonomy of DNS threat actors. The actors that we track have generally persisted for over a year and are often financially motivated. We find that frequently they choose registrars and TLDs that are the least expensive and are hassle-free. While NameSilo is a cheap registrar, it is not the only one, and it will not offer the lowest price on domains over a long period of time. In that past, Prolific Puma registered large numbers of domains with other cheap providers, notably NameCheap. The consistent use of NameSilo over a long period of time is notable, but the motivation is unknown.
Abuse of usTLD
Prolific Puma has registered thousands of domains in the usTLD since May 2023. This is remarkable because, according to the usTLD Nexus Requirements Policy, only U.S. citizens, or U.S.-affiliated businesses are eligible to register domains in it.12 Moreover, the usTLD requires transparency; no domain names may be registered privately. As a result, the email address, name, street address, and phone number associated with the domain are publicly available. While this might seem a likely deterrent to crime, it has not been effective; the usTLD is well known for abuse.
As Krebs on Security recently reported, the usTLD is one of the most abused country code TLDs (ccTLDs) and there is no verification made of the registrant’s relationship to the United States.13 While Krebs holds GoDaddy accountable as the registry, the TLD suffered from abuse before it took over registry responsibilities in 2020. While once a highly structured and controlled TLD, second level domain (SLD) registrations became available in 2002 after Neustar was awarded the contract to administer the TLD.14 Infoblox rates the usTLD as a moderate but slightly elevated risk, with a score of 6, in comparison to all other TLDs.
Registration of a .us domain with NameSilo requires an email address, as well as selection of one of the five Nexus categories and application purposes, as shown below in Figure 4. These are used to establish the registrant’s association with the United States; however, the acceptance criteria are very broad.15 During the registration process, the user is warned that they must qualify for one of these and choose a selection. The application purpose requirement separates personal from organisational registrations.
In order to fully configure the domain with NameSilo, the registrant must also provide a name, physical address, and phone number, but these are unverified and the related WHOIS records are not updated automatically. Without an update, only the email address associated with the purchase is publicly available. The registrant can choose to associate contact information with previously purchased domain names, but this is a separate configuration from the account holder details. This entire process can be completed with fake data, and the domain can be paid for with Bitcoin, enabling threat actors to abuse the service without much difficulty. While NameSilo is the registrar being abused in this particular case, the difficulties highlighted here are common across the industry.
Prolific Puma domain registrants have historically claimed to be a U.S. citizen (C11) using the domain to conduct business for profit (P1), although this pattern has recently changed. Starting on October 4th, we observed Prolific Puma domains within the usTLD switch to a domain for personal use (P3) and with private registration settings, including both existing and new registrations. This activity eliminated any doubt that Prolific Puma was a malicious actor. As of mid-October, nearly 2000 Prolific Puma domains in the usTLD now have private registration.
The presence of private registrations within the usTLD is alarming and violates the terms of the usTLD. Lack of detailed information through the WHOIS data has hindered intelligence investigations for the last several years, but more importantly, through our own experience with NameSilo, it is not possible to select private registration for domains in the usTLD through its interface. And yet, it was done. Digging a little deeper and assessing all domains we processed between September 1st and October 15th, we found that while Prolific Puma made up the vast majority of .us domains under Privacy Guardian protection, there were others. Of the over 200 registrars reporting usTLDs during this timeframe, only four registrars were associated with private registration data, as shown in the table below. Of the total domains with private records, over 99% were registered with NameSilo. At this time, we are not able to explain this behaviour.
While the limitations of .us domain names may seem strict, upon closer review, only wholly foreign entities are excluded from registering domains within this TLD. If the registrant is suspected of providing false WHOIS information, the Internet Corporation for Assigned Names and Numbers (ICANN) requires the registrar to investigate and allow the information to be updated.16 According to the Nexus requirements policy, registrars must provide registrants 30 days to update incomplete or incorrect information. NameSilo and GoDaddy are better positioned to take down domains based on their malicious activity than their Nexus qualifications. But in the case of middle-layer adversaries like Prolific Puma, exactly how do they do that?
The abuse of the usTLD, similar to that of others like .xyz and .website, is real. But with modern privacy regulations and technologies, separating abuse from legitimate use is not trivial, particularly at the scale of the DNS. Protecting consumers and organisations against DNS threat actors requires industry collaboration. For our part, we informed both NameSilo and GoDaddy of the Prolific Puma activity in September. Aside from the potential violation of usTLD requirements, however, it is difficult for a registrar to regulate domains that are not used directly for malicious purposes. We have also shared a large collection of recent domains with Spamhaus and other vendors.17
Prolific Puma Operations
Following the registration of a domain, Prolific Puma often leaves it unused, or parked, for several weeks. This technique is referred to as strategic aging.24 Because phishing attacks are traditionally tied to newly registered domains, many security systems will block access to them. In response, threat actors realised that by waiting to use domains in their campaigns, or ‘aging’ them, they could bypass many security protections.
Prolific Puma will make a small number of DNS queries during the aging process, a method used by threat actors to gain reputation for the domain names. During this period, the domains are parked with NameSilo. Prolific Puma will then transfer them to bulletproof hosting providers, purchased using Bitcoin, on a virtual private server (VPS) with a dedicated IP address. We have found that they will abandon domains after some time, leaving the DNS record pointing to the dedicated IP address.
Based on the breadth of operational techniques we have seen, we suspect that Prolific Puma is providing a service for others and that the final landing pages are not in its control. It remains possible, though, that the same threat actor controls both the link shortening service and all of the malicious activity conducted through it. We have not determined how Prolific Puma advertises its services, how its users go about receiving the shortened URL, or whether it has any legitimate traffic. Within the campaigns through the Prolific Puma service, we have found large networks of domains controlled by other DNS threat actors, often registered with cheap registrars such as NameCheap. Some of these campaign domains are also generated by RDGAs.
An Example Campaign
Prolific Puma operates a link shortener for a variety of phishing, scam, and malware activities. Below, we describe an example of one of the campaigns it serves. Figures 5.1-5.4 show screenshots of what a victim would encounter after clicking on the initial shortened link, http://bwkd[.]me/ZFjfA3. The link leads to a phishing page designed to appear like an email, prompting the user to provide personal details and make a payment, and then it infects the user with browser plug-in malware. We have also captured a screenshot recording of the process, shown below.
The technical steps between the shortened link and the browser plug-in malware in this campaign are as follows:
- The first shortened link http://bwkd[.]me/ZFjfA3 redirects to
- http://ksaguna[.]com/click.php?key=<redacted>, which itself redirects to https://www[.]asdboloa[.]com/ZA/AB_zagopb/?uclick=<redacted> ○ This final website is a fake Gmail message telling the user they have won the opportunity to test the new iPhone 15.
- The user is instructed to click on a link to claim their phone at https://www[.]game[.]co[.]za/2023program and enter their delivery information. The website www[.]game[.]co[.]za is a South African discount retailer using promotional drives to draw consumers.
- Following this link under the right conditions leads to a prompt to pay 18 South African Rand (ZAR) to participate in the trial.
- From there, the user is presented with a page claiming to be postal tracking and prompting them to accept notifications from fubsdgd[.]com. Clicking ‘accept’ triggers the installation of browser malware that uses the OneSignal service to push notifications. While commonly associated with ads, in our experience, browser plug-in malware is commonly used to deliver scams, phishing, and other malware, along with ads.
- Finally, the victim is taken through a series of prompts asking them to verify shipping preferences and enter their personal information.
We do not know how the original shortened URL is delivered to the victim; it may be through an SMS text message given that it opens a fake Gmail message. The domains used during the exploitation of the victim change and are themselves part of a large network. This campaign uses a variety of techniques to assure the victim that the offer is genuine, including an active stream of testimonial reviews at each step from other ‘recipients’.
Prolific Puma demonstrates how the DNS can be abused to support criminal activity and remain undetected for years. As part of the supply chain, this actor is harder to detect and defeat. Traditional security systems protect the user from harm based on the final landing page of a link. DNS detection and response systems, however, can disrupt Prolific Puma and similar service providers, thereby thwarting all of the actors who rely on them to deliver phishing, scams, and malware. By using an RDGA and cheap domain registrars, Prolific Puma is able to scale and persist its operations. But at the same time, we can detect the use of an RDGA through DNS and domain registration records.
Prolific Puma is only one of the link shortener operators that Infoblox has discovered, and link shorteners are only one type of service found in the shadow economy. Most often we uncover DNS threat actors first through analytics that identify suspicious newly registered, configured, or queried domains. Even prior to correlating domains with malicious activity, we can use other features, such as TLD and name server reputation, to flag the related domains as suspicious. Later, we are able to connect domains together and isolate a threat actor. By blocking access to suspicious domains, organisations can implement a highly effective, low-regret, high-security policy for their network and users.
Infoblox unites networking and security to deliver unmatched performance and protection. Trusted by Fortune 100 companies and emerging innovators, we provide real-time visibility and control over who and what connects to your network, so your organisation runs faster and stops threats earlier. Visit Infoblox.com, or follow-us on LinkedIn or Twitter.