Direct navigation — the act of visiting an internet site by manually typing a website title in an internet browser — has by no means been riskier: A brand new research finds the overwhelming majority of “parked” domains — largely expired or dormant domains, or frequent misspellings of fashionable web sites — are actually configured to redirect guests to websites that foist scams and malware.
A lookalike area to the FBI Web Crime Criticism Heart web site, returned a non-threatening parking web page (left) whereas a cellular person was immediately directed to misleading content material in October 2025 (proper). Picture: Infoblox.
When Web customers attempt to go to expired domains or unintentionally navigate to a lookalike “typosquatting” area, they’re usually dropped at a placeholder web page at a website parking firm that tries to monetize the wayward site visitors by displaying hyperlinks to quite a few third-party web sites which have paid to have their hyperlinks proven.
A decade in the past, ending up at one among these parked domains got here with a comparatively small probability of being redirected to a malicious vacation spot: In 2014, researchers discovered (PDF) that parked domains redirected customers to malicious websites lower than 5 p.c of the time — no matter whether or not the customer clicked on any hyperlinks on the parked web page.
However in a collection of experiments over the previous few months, researchers on the safety agency Infoblox say they found the state of affairs is now reversed, and that malicious content material is by far the norm now for parked web sites.
“In giant scale experiments, we discovered that over 90% of the time, guests to a parked area can be directed to unlawful content material, scams, scareware and anti-virus software program subscriptions, or malware, because the ‘click on’ was bought from the parking firm to advertisers, who usually resold that site visitors to yet one more get together,” Infoblox researchers wrote in a paper revealed in the present day.
Infoblox discovered parked web sites are benign if the customer arrives on the website utilizing a digital personal community (VPN), or else through a non-residential Web tackle. For instance, Scotiabank.com clients who unintentionally mistype the area as scotaibank[.]com will see a standard parking web page in the event that they’re utilizing a VPN, however shall be redirected to a website that tries to foist scams, malware or different undesirable content material if coming from a residential IP tackle. Once more, this redirect occurs simply by visiting the misspelled area with a cellular gadget or desktop pc that’s utilizing a residential IP tackle.
In keeping with Infoblox, the particular person or entity that owns scotaibank[.]com has a portfolio of practically 3,000 lookalike domains, together with gmai[.]com, which demonstrably has been configured with its personal mail server for accepting incoming e mail messages. Which means, in the event you ship an e mail to a Gmail person and unintentionally omit the “l” from “gmail.com,” that missive doesn’t simply disappear into the ether or produce a bounce reply: It goes straight to those scammers. The report notices this area additionally has been leveraged in a number of current enterprise e mail compromise campaigns, utilizing a lure indicating a failed fee with trojan malware connected.
Infoblox discovered this specific area holder (betrayed by a typical DNS server — torresdns[.]com) has arrange typosquatting domains focusing on dozens of high Web locations, together with Craigslist, YouTube, Google, Wikipedia, Netflix, TripAdvisor, Yahoo, eBay, and Microsoft. A defanged checklist of those typosquatting domains is out there right here (the dots within the listed domains have been changed with commas).
David Brunsdon, a menace researcher at Infoblox, stated the parked pages ship guests by means of a sequence of redirects, all whereas profiling the customer’s system utilizing IP geolocation, gadget fingerprinting, and cookies to find out the place to redirect area guests.
“It was usually a sequence of redirects — one or two domains exterior the parking firm — earlier than menace arrives,” Brunsdon stated. “Every time within the handoff the gadget is profiled many times, earlier than being handed off to a malicious area or else a decoy web page like Amazon.com or Alibaba.com in the event that they resolve it’s not price focusing on.”
Brunsdon stated area parking providers declare the search outcomes they return on parked pages are designed to be related to their parked domains, however that just about none of this displayed content material was associated to the lookalike domains they examined.
Samples of redirection paths when visiting scotaibank dot com. Every department features a collection of domains noticed, together with the color-coded touchdown web page. Picture: Infoblox.
Infoblox stated a unique menace actor who owns domaincntrol[.]com — a website that differs from GoDaddy’s title servers by a single character — has lengthy taken benefit of typos in DNS configurations to drive customers to malicious web sites. In current months, nonetheless, Infoblox found the malicious redirect solely occurs when the question for the misconfigured area comes from a customer who’s utilizing Cloudflare’s DNS resolvers (1.1.1.1), and that every one different guests will get a web page that refuses to load.
The researchers discovered that even variations on well-known authorities domains are being focused by malicious advert networks.
“When one among our researchers tried to report against the law to the FBI’s Web Crime Criticism Heart (IC3), they unintentionally visited ic3[.]org as an alternative of ic3[.]gov,” the report notes. “Their cellphone was rapidly redirected to a false ‘Drive Subscription Expired’ web page. They have been fortunate to obtain a rip-off; primarily based on what we’ve learnt, they might simply as simply obtain an info stealer or trojan malware.”
The Infoblox report emphasizes that the malicious exercise they tracked just isn’t attributed to any recognized get together, noting that the area parking or promoting platforms named within the research weren’t implicated within the malvertising they documented.
Nevertheless, the report concludes that whereas the parking firms declare to solely work with high advertisers, the site visitors to those domains was regularly bought to affiliate networks, who usually resold the site visitors to the purpose the place the ultimate advertiser had no enterprise relationship with the parking firms.
Infoblox additionally identified that current coverage modifications by Google could have inadvertently elevated the chance to customers from direct search abuse. Brunsdon stated Google Adsense beforehand defaulted to permitting their adverts to be positioned on parked pages, however that in early 2025 Google carried out a default setting that had their clients opt-out by default on presenting adverts on parked domains — requiring the particular person working the advert to voluntarily go into their settings and activate parking as a location.
