Most Parked Domains Now Serving Malicious Content: A Growing Concern for Internet Users
Direct navigation, the act of manually typing a domain name into a web browser, has become a risky endeavor. A recent study reveals that the majority of parked domains, which include expired or dormant domain names, as well as common misspellings of popular websites, are now configured to redirect visitors to sites hosting scams and malware.
A striking example is the FBI Internet Crime Complaint Center's lookalike domain, which presented a non-threatening parking page to one user, while a mobile user in October 2025 was instantly directed to deceptive content. This highlights the potential dangers lurking behind seemingly innocuous domain names.
When users attempt to access expired domains or stumble upon typosquatting domains, they often encounter placeholder pages on domain parking companies. These companies attempt to monetize this traffic by displaying links to third-party websites that have paid for their placement. A decade ago, the risk of being redirected to malicious sites from these parked domains was relatively low, with researchers finding that such redirects occurred less than 5% of the time, regardless of user interaction.
However, recent experiments conducted by security firm Infoblox have revealed a disturbing shift. Over 90% of the time, visitors to parked domains are now directed to illegal content, scams, scareware, anti-virus software subscriptions, or malware. This is because parking companies sell the 'click' to advertisers, who often resell the traffic to other parties, creating a chain of redirects that can lead to malicious destinations.
Infoblox's research also uncovered the impact of IP addresses. When visitors arrive at parked sites using a virtual private network (VPN) or non-residential Internet address, they encounter benign content. However, those using residential IP addresses are at risk of being redirected to scam sites, malware, or other unwanted content. This vulnerability affects both mobile devices and desktop computers.
The study also highlighted the activities of domain holders like scotaibank[.]com, who own a vast portfolio of lookalike domains, including gmai[.]com, configured with its own mail server. This setup enables scammers to intercept emails sent to Gmail users who accidentally omit a character from the domain name. Moreover, these domains have been linked to business email compromise campaigns, further emphasizing the potential for harm.
Infoblox's investigation revealed that domain holder torresdns[.]com has set up typosquatting domains targeting major internet destinations. The report provides a list of these domains, showcasing the extent of the threat. David Brundson, a threat researcher at Infoblox, explained that parked pages employ a series of redirects, profiling visitors' systems using IP geolocation, device fingerprinting, and cookies to determine the final destination.
Interestingly, Infoblox discovered that a different threat actor, domaincntrol[.]com, only initiates malicious redirects when visitors use Cloudflare's DNS resolvers (1.1.1.1). This finding highlights the complexity of the issue and the need for users to be vigilant.
The report also addressed the targeting of well-known government domains by malicious ad networks. A researcher's attempt to report a crime to the FBI's Internet Crime Complaint Center (IC3) resulted in a phone redirection to a false 'Drive Subscription Expired' page, which could have led to more severe consequences.
Infoblox's findings emphasize that the malicious activity is not attributed to any known party, and the domain parking or advertising platforms were not implicated in the documented malvertising. However, the report concludes that parking companies' claims of working with top advertisers may be misleading, as traffic is frequently sold to affiliate networks, creating a complex chain of reselling that can lead to unintended consequences.
Furthermore, Infoblox suggests that Google's recent policy changes may have inadvertently increased the risk to users from direct search abuse. Google Adsense's default setting, which allowed ads on parked pages, has been modified to require users to opt-in to presenting ads on such domains.
In summary, the study highlights the growing threat of malicious content on parked domains, the vulnerabilities of IP addresses, and the complex network of redirects and reselling that can lead to harmful outcomes for unsuspecting internet users.
