Enter the Puma: phishing link-shortening gang caught in the wild


A threat group believed to be from Ukraine went undetected for years, selling URL link-shortening services to other cybercriminals to help facilitate their malicious activities.

Prolific Puma is believed to have registered 35,000-75,000 fake domain names since April 2022 and went undiscovered until cybersecurity analyst Infoblox exposed its activities earlier this year.

ADVERTISEMENT

Infoblox says it doesn’t know the gang’s origin story for sure but believes it may have originated in Ukraine and moved to Poland around the time of the Russian invasion. Its security researchers managed to pinpoint the group’s physical location to what it described as a nondescript primary school building in Lodz, which has welcomed many refugees.

Away from the analog world, Infoblox tracked Prolific Puma online via its domain names, first catching its scent around half a year ago. However, it reckons the group may have been active for considerably longer.

“For four years, maybe longer, Prolific Puma has operated in the shadows, unrecognized by defenders,” said Infoblox. “While we don’t know their origin story, we can detect Prolific Puma [...] via their domain name registration choices. What’s in the name? Prolific comes from the simple fact that this is a network that is continually expanding, with new domains registered almost daily.”

Prolific Puma uses these myriad domain names to provide link-shortening services to other cybercriminals. Though, of course, services such as TinyURL are perfectly legal, such convenience has its darker side among the online criminal fraternity, which uses similar functions for illegal purposes.

“They create [...] and use these domains to provide a link-shortening service to other malicious actors, helping them evade detection while they distribute phishing, scams, and malware,” said Infoblox. “When we disrupt Prolific Puma, we disrupt a larger segment of the criminal economy.”

Infoblox says that Prolific Puma is not the only illicit service of its kind but is by far the most dynamic and wide-ranging, despite not openly advertising its services.

“We knew we were tracking a link-shortening service, but it was unclear what they were delivering and for whom they were providing the service,” said Infoblox. “Our detectors had found a large set of interconnected domains with suspicious behavior and no public presence, but we were challenged to conclude how they were being leveraged.”

Infoblox eventually figured out what it was on to when its investigators captured instances of shortened links that redirected to landing pages for phishing and scam sites.

ADVERTISEMENT

“Prolific Puma is not the only illicit link-shortening service that we have discovered, but it is the largest and the most dynamic,” it said. “We have not found any legitimate content served through its shortener.”