A risk actor often called Prolific Puma has been sustaining a low profile and working an underground hyperlink shortening service that is provided to different risk actors for at the very least over the previous 4 years.
Prolific Puma creates “domains with an RDGA [registered domain generation algorithm] and use these domains to offer a hyperlink shortening service to different malicious actors, serving to them evade detection whereas they distribute phishing, scams, and malware,” Infoblox mentioned in a brand new evaluation pieced collectively from Area Title System (DNS) analytics.
With malicious actors recognized to make use of hyperlink shorteners for phishing assaults, the adversary performs an essential position within the cybercrime provide chain, registering between 35,000 to 75,000 distinctive domains since April 2022. Prolific Puma can be a DNS risk actor for leveraging DNS infrastructure for nefarious functions.
A notable side of the risk actor’s operations is the usage of an American area registrar and website hosting firm named NameSilo for registration and title servers as a result of its affordability and an API that facilitates bulk registration.
Prolific Puma, which doesn’t promote its shortening service on underground markets, has additionally been noticed resorting to strategic growing old to park registered domains for a number of weeks previous to internet hosting their service with nameless suppliers.
“Prolific Puma domains are alphanumeric, pseudo-random, with variable size, sometimes 3 or 4 characters lengthy, however we have now additionally noticed SLD labels so long as 7 characters,” Infoblox defined.
Moreover, the risk actor has registered hundreds of domains within the U.S. top-level area (usTLD) since Might 2023, repeatedly utilizing an e-mail handle containing a reference to the music OCT 33 by a psychedelic soul band referred to as Black Pumas: blackpumaoct33@ukr[.]web.
The actual-world id and origins of Prolific Puma stays unknown as but. That mentioned, a number of risk actors are mentioned to be utilizing the providing to take guests to phishing and rip-off websites, CAPTCHA challenges, and even different shortened hyperlinks created by a unique service.
In a single occasion of a phishing-cum-malware assault documented by Infoblox, victims clicking on a shortened hyperlink are taken to a touchdown web page that requests them to offer private particulars and make a fee, and in the end infect their methods with browser plugin malware.
The disclosure comes weeks after the corporate uncovered one other persistent DNS risk actor codenamed Open Tangle that leverages a big infrastructure of lookalike domains of official monetary establishments to focus on shoppers for phishing and smishing assaults.
“Prolific Puma demonstrates how the DNS could be abused to assist prison exercise and stay undetected for years,” it mentioned.
Kopeechka Hacking Instrument Floods On-line Platforms with Bogus Accounts
The event additionally follows a brand new report from Pattern Micro, which discovered that lesser-skilled cybercriminals are utilizing a brand new device referred to as Kopeechka (which means “penny” in Russian) to automate the creation of a whole lot of faux social media accounts in only a few seconds.
“The service has been lively because the starting of 2019 and supplies straightforward account registering companies for fashionable social media platforms, together with Instagram, Telegram, Fb, and X (previously Twitter),” safety researcher Cedric Pernet mentioned.
Kopeechka supplies two kinds of totally different e-mail addresses to assist with the mass-registration course of: e-mail addresses hosted in 39 domains owned by the risk actor and people which can be hosted on extra fashionable e-mail internet hosting companies similar to Gmail, Hotmail, Outlook, Rambler, and Zoho Mail.
“Kopeechka doesn’t really present entry to the precise mailboxes,” Pernet defined. “When customers request for mailboxes to create social media accounts, they solely get the e-mail handle reference and the precise e-mail that comprises the affirmation code or URL.”
It is suspected that these e-mail addresses are both compromised or created by the Kopeechka actors themselves.
With on-line companies incorporating telephone quantity verification to finish registration, Kopeechka allows its clients to select from 16 totally different on-line SMS companies, most of which originate from Russia.
Moreover accelerating cybercrime and equipping risk actors to launch full-fledged operations at scale, such instruments – created as a part of the “as-a-service” enterprise mannequin – spotlight the professionalization of the prison ecosystem.
“Kopeechka’s companies can facilitate a straightforward and inexpensive method to mass-create accounts on-line, which could possibly be useful to cybercriminals,” Pernet mentioned.
“Whereas Kopeechka is principally used for a number of accounts creation, it may also be utilized by cybercriminals who need to add a level of anonymity to their actions, as they don’t want to make use of any of their very own e-mail addresses to create accounts on social media platforms.”
