Hacking via shortened domain names


It appears once again that advocates for safer cyberspace, such as AXS Guard, cannot rest on their laurels.  After all, hackers have again found 'new' ways to lure cyberspace users to rogue websites. 'New' is in quotes... because it took no less than 18 months to detect the rogue practices.

What's the issue?

Infoblox, a U.S.-based company specializing in DNS security, has recently revealed a troubling discovery related to an entity named Prolific Puma. This organization offers hackers a service to redirect unsuspecting visitors to malicious websites through shortened URLs.


Prolific Puma has been actively registering domain names at an alarming rate. In less than a month, they have managed to secure thousands of domain names, predominantly within the U.S. top-level domain space (.us). This surge in domain registration is concerning due to Prolific Puma's association with various criminal activities, including phishing emails, fraud, and the distribution of malware. One of the prominent methods used by Prolific Puma is to incorporate these shortened URLs into SMS phishing campaigns.


Prolific Puma stood out for its remarkable capability to engage in malicious activities for over 18 months, all the while remaining undetected by the security industry. By amassing a substantial collection of domain names, they consistently managed to spread malicious traffic while evading detection. Prolific Puma's modus operandi and the nature of their malicious link shortening service made it difficult to detect through traditional anti-malware or anti-phishing software. Instead, it was the use of DNS analysis that ultimately uncovered their activities.

How does hacking via shortened links work?

Link shorteners were initially designed to simplify the sharing of website links and overcome social media's character limitations. Familiar examples include TinyURL, Bitly, Google, and LinkedIn.


Upon clicking a shortened link, users are redirected to another URL. In the background, a DNS request is sent to resolve the IP address associated with the shortened service domain, such as Prolific Puma.


The web request is then directed to a rogue address along with a unique hash value used to identify the originating site. While legitimate users create straightforward shortened links for sharing purposes, cybercriminals can use multiple redirects to conceal the true destination of a shortened link, making it challenging for security software to detect malicious activity.  


Prolific Puma employs the "strategic aging" technique for domains. This tactic circumvents traditional security measures that often block newly registered domains. By allowing domains to mature after registration, they evade detection and appear akin to existing, trustworthy sources.


How can I protect myself against this type of attack?

It is crucial to raise awareness among users about the potential risks associated with clicking on shortened links. Digital hygiene awareness training, which includes verifying the source before clicking a link, can significantly mitigate these risks. While the straightforward advice of "Don't click on shortened links" may seem like the most obvious solution, it is often challenging to implement in practice.


Therefore, the recommended approach is to automatically enhance protection through SecureDNS. AXS Guard forwards all DNS requests from users to Secutec’s SecureDNS server, which assesses the domain reputation of requested URLs, including that of shortened URLs and their intended destinations. 


A) If a user attempts to visit a blocked domain, access will be denied. 

B) If the domain is whitelisted or not identified as threatening, the user will be granted access to the domain.


You can monitor the results and efficiency of SecureDNS through the dedicated SecureDNS dashboard via the AXS Guard Cloud.


Conclusion

The consequences of malicious activity via shortened links can be devastating. Individuals face risks such as identity theft, financial losses, and privacy breaches. For companies, these attacks can result in data theft, disruption of business operations, and reputational damage. This underscores the urgent need for robust security measures and awareness training within organizations and among users.


SOURCEhttps://blogs.infoblox.com/cyber-threat-intelligence/prolific-puma-shadowy-link-shortening-service-enables-cybercrime/ 


Hacking via shortened domain names
Able bv, Joren De Breucker November 24, 2023

AXS Guard at Remmicom's Day of the Customer 2023