Cybersecurity firm Infoblox has uncovered a malicious link shortening service using the .US top-level domain (TLD) to execute phishing and malware attacks. The link shortening service, labeled “Prolific Puma” by the researchers, has been operational for three years and is suspected to aid phishers and malware distributors. Infoblox's analysis indicates that these short domains, which range from three to seven characters in length, don't host content. Instead, they mask the true destination of websites designed to deceive users or distribute malware.
According to Infoblox, over 55% of the domains created by the shortening service since May 2023 utilize the .US TLD, with several new domains registering daily.
Regulatory Oversight and Abuse
As reported by Krebs on Security, The National Telecommunications and Information Administration (NTIA) regulates the .US TLD but contracts out management to private firms, such as GoDaddy, one of the largest webhosters and also the largest domain registrar globally. These contractors have historically verified that registrants have a presence in the United States. However, Infoblox has noted over 2,000 malicious domains with private registrations through NameSilo, which obscures the transparency obligations of the .US charter.
Interisle's latest study inspects six million phishing reports and identifies around 30,000 .US phishing domains. These domains are often registered to target major US companies and government agencies. The study highlights the troubling volume of malicious use and points to the .US domain's descent into a hotbed of cybercrime.
Implications and Industry Response
The current trend raises concerns about the effectiveness of domain registration regulations and the ease of concealing registrant data. DomainTools, a tool used for investigating domain registrations, shows domains tied to Prolific Puma registering through various providers and sometimes providing false registrant information.
The NTIA's proposal to permit registrars to redact registrant data has met opposition from the industry, with experts arguing it undermines accountability for the .US TLD. Infoblox's report on Prolific Puma brings to light the sophisticated layers of the DNS threat landscape, emphasizing the need for vigilance and a robust response from domain management entities.
How to Recognize Potential Malware and Phishing Attempts via Short URLs
When dealing with potential phishing or malware threats, it's crucial to understand the structure and significance of domain names. A domain name consists of several parts, including a top-level domain (TLD) like .com, .org, or .us. Cybercriminals often exploit less familiar TLDs to create seemingly legitimate websites for malicious purposes. It's important to be cautious with unfamiliar or unexpected TLDs, especially in unsolicited communications.
Here are some safe practices for checking suspicious links:
Hover, Don't Click: Before clicking on any link, hover your cursor over it. This action will typically show you the full URL at the bottom of your browser. Look for inconsistencies or unfamiliar domain names.
Use Link Checking Tools: There are online tools available that allow you to check the safety of a link without clicking on it. Websites like VirusTotal or CheckShortURL provide insights into where a shortened link leads and whether it's been flagged for malicious content.
Verify the Source: If a link comes from an email or message, verify the sender's authenticity. Check their email address for any subtle misspellings or unusual characters that might indicate a phishing attempt.
Always Update Your Browser: Modern browsers often include security features that warn you about suspicious websites. Ensure your browser is up to date to take advantage of these protections.
Use Security Software: Use comprehensive security software that includes link scanning to automatically detect and warn you about risky websites.
Interpreting Domain Names for Safety
Check the Domain's History: Websites like WHOIS allow you to check the registration history of a domain. A newly registered domain or one with hidden registrant details might be suspicious.
Look for HTTPS: Secure websites use HTTPS, indicated by a padlock symbol in the browser's address bar. While not foolproof, HTTPS is a good indicator of a website's legitimacy.
Beware of Lookalike Domains: Phishers often use domains that look similar to legitimate ones, with slight misspellings or additional characters. Always double-check the URL.
Be Wary of Excessive Hyphens or Numbers: Domains with unusual combinations of hyphens or numbers, especially in a TLD that doesn't match the supposed organization's country, can be a red flag.
