Domain Name Hacker’s Covert URL Shortening


Researchers have recently found online services catering to domain name hackers, who’re leveraging a covert link-shortening service tailored specifically for cybercriminal activities.

Dubbed ‘Prolific Puma’, this service deploys a registered domain generation algorithm (RDGA) to craft domain names, providing a discreet platform for distributing phishing schemes, scams, and malware, all while evading detection.

Operating in obscurity for over four years, this RGDA service has managed to dodge cybersecurity defenders, generating up to 75,000 unique domain names in the past 18 months, often evading regulations by employing URLs ending with “.us”.

Prolific Puma’s Intricate Operation

Source: infoblox

The heart of it’s operation lies in the use of what Infoblox terms the “registered” domain generation algorithm (RGDA). Unlike traditional domain generation algorithms (DGAs) that dynamically create domain names for malware communication, RGDA is a specialized technique facilitating malicious activities to go undetected.

Domain Name Hacker's Covert URL Shortening

Dr. Renee Burton, head of threat intelligence at Infoblox, explains the effectiveness of shortened links, providing cybercriminals with compact, hidden, and resistant-to-detection URLs, ideal for evading automated security measures.

This service registers a network of domains generated via RDGA, exemplified by domains like threatactor1.com, threatactor2.com, and threatactor.com. The original URL is transformed into shortened links, rendering them unrecognizable to detection systems. Threat actors utilize these links to disseminate phishing schemes, scams, and malware attacks.

What is a Registered Domain Generation Algorithm (RDGA)?

At the core of its operations lies the “registered” domain generation algorithm (RGDA), an important component that distinguishes it from conventional DGAs. 

Dr. Renee Burton notes that Prolific Puma’s surreptitious nature posed a challenge for investigators, as the absence of a complete URL made it difficult to ascertain the final landing page.

While Infoblox has identified various illicit link-shortening services, it stands out as the largest and most dynamic. Since April 2022, it has registered an astonishing 35,000 to 75,000 unique domain names, underscoring the scale of its operations.

It’s covert operation as a domain name hacker presents a large threat to online security. Its innovative use of the registered domain generation algorithm allows it to operate in the shadows, evading detection and enabling the distribution of cyber threats, making it one of the biggest facilitators of domain name hackers leveraging their services to target unsuspecting victims.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.





Source link