Cyber security researchers from Infoblox they discovered a registered domain generation algorithm (RDGA) that helped cybercriminals evade detection and propose sites to phishing e malware more easily.
The operation, nicknamed Prolific Pumaused a bulk domain generation algorithm, with a system to create “shortcuts” to them that avoided flagging websites as potentially dangerous.
The researchers stated how “When we destroyed Prolific Puma, we destroyed a large segment of the criminal economy” demonstrating how this system was important in the context of cybercrime. They then clarified how “Prolific Puma algorithmically generated large volumes of domains and then uses them to create shortened links for other malicious actors, allowing them to hide their true activity“.
Prolific Puma: around 75,000 domains registered in just one year
The operation has been active for at least four years, Infoblox explained, hypothesizing that in reality it could have been operating for much longer. The discovery of this ingenious system was not due to chance, but through aAnalyze DNS.
Six months ago, researchers analyzing 70 billion DNS queries a day discovered the RDGA system that created domain names that were then exploited by cybercriminals.
Researchers found that in less than a month, Prolific Puma managed to register thousands of domains, many of them US top-level domains (usTLDs). Approximately have been registered since April last year 75.000 unique domain names. At the beginning of 2023, Prolific Puma recorded almost 800 domains in just one day.
Most domains have a maximum of four characters, although in rare cases seven have been reached. The vectors used to direct victims to these pages are the most common ones, i.e advertising on social networks, SMS and similar situations.