Historically, when internet users attempted to visit an expired domain name or mistyped a popular website address, they would often land on a placeholder page hosted by a domain parking company. These companies aimed to monetize the errant traffic by displaying advertisements and links to various third-party websites that had paid for placement. However, the landscape has drastically changed. A study conducted in 2014 by researchers at USENIX found that parked domains led to malicious sites less than five percent of the time, irrespective of whether the visitor clicked on any links on the parking page.

Infoblox’s recent research, conducted over several months through extensive experiments, indicates a stark reversal of this trend. Their findings suggest that malicious content is now the overwhelming norm for parked websites. "In large scale experiments, we found that over 90% of the time, visitors to a parked domain would be directed to illegal content, scams, scareware and anti-virus software subscriptions, or malware, as the ‘click’ was sold from the parking company to advertisers, who often resold that traffic to yet another party," Infoblox researchers detailed in a paper published today.

The security firm’s investigation also uncovered a peculiar characteristic of these malicious redirects: they are often contingent on the visitor’s connection type. Parked websites were found to be benign if the visitor accessed them using a Virtual Private Network (VPN) or through a non-residential Internet address. However, users connecting via a residential IP address were highly likely to be redirected. For instance, customers of Scotiabank who accidentally typed "scotaibank[.]com" instead of "Scotiabank.com" would encounter a standard parking page if they were using a VPN. Conversely, if they used a residential IP address on their mobile device or desktop computer, they would be immediately directed to a site pushing scams, malware, or other unwanted content. This redirection occurs simply by visiting the misspelled domain.

Infoblox identified a specific threat actor who owns "scotaibank[.]com" and manages a portfolio of nearly 3,000 lookalike domains. This extensive collection includes domains like "gmai[.]com," which has been configured with its own mail server. This means that if a user mistakenly omits the "l" from "gmail.com" when sending an email, their message doesn’t simply bounce; it is delivered directly to these scammers. The report highlights that this domain has been actively used in recent business email compromise (BEC) campaigns, often employing lures that suggest a failed payment and attach trojan malware.

Further analysis by Infoblox revealed that this particular domain owner, identified through the common DNS server "torresdns[.]com," has established typosquatting domains targeting dozens of prominent internet destinations. These include major platforms like Craigslist, YouTube, Google, Wikipedia, Netflix, TripAdvisor, Yahoo, eBay, and Microsoft. A sanitized list of these typosquatting domains, with dots replaced by commas for safety, is available for review.

David Brunsdon, a threat researcher at Infoblox, elaborated on the sophisticated redirection process. He explained that parked pages often route visitors through a chain of multiple redirects, with each hop involving profiling the visitor’s system. This profiling utilizes techniques such as IP geolocation, device fingerprinting, and cookies to determine the most effective redirection destination. "It was often a chain of redirects – one or two domains outside the parking company – before threat arrives," Brunsdon stated. "Each time in the handoff the device is profiled again and again, before being passed off to a malicious domain or else a decoy page like Amazon.com or Alibaba.com if they decide it’s not worth targeting."

Brunsdon also pointed out a disconnect between the claims of domain parking services and the reality of their operations. While these services assert that the search results on their parked pages are relevant to the parked domains, Infoblox’s tests found that almost none of the displayed content was related to the lookalike domain names under scrutiny.

Another actor identified by Infoblox is the owner of "domaincntrol[.]com," a domain that differs from GoDaddy’s name servers by a single character. This entity has historically exploited typos in DNS configurations to direct users to malicious websites. However, Infoblox observed a recent tactic where this malicious redirect only occurs when the query for the misconfigured domain originates from a visitor using Cloudflare’s DNS resolvers (1.1.1.1). All other visitors to such domains are presented with a page that refuses to load.

The researchers also discovered that even variations of well-known government domains are falling victim to malicious ad networks. In a concerning example, when an Infoblox researcher attempted to report a crime to the FBI’s Internet Crime Complaint Center (IC3), they inadvertently navigated to "ic3[.]org" instead of the correct "ic3[.]gov." Their device was promptly redirected to a deceptive "Drive Subscription Expired" page. The report emphasizes that while this instance resulted in a scam, the researcher could have just as easily been exposed to information-stealing malware or trojans, underscoring the severity of the threat.

Crucially, the Infoblox report highlights that the malicious activity they documented is not attributed to any single, known entity. The domain parking or advertising platforms named in the study were not found to be directly implicated in the malvertising activities. However, the report concludes that despite parking companies claiming to work only with reputable advertisers, the traffic directed to these domains was frequently sold to affiliate networks. These networks, in turn, often resold the traffic, leading to a situation where the ultimate advertiser had no direct relationship with the original parking companies, obscuring accountability.

Infoblox also noted that recent policy adjustments by Google may have inadvertently amplified the risk posed by direct search abuse. According to Brunsdon, Google AdSense previously allowed ads to be placed on parked pages by default. However, in early 2025, Google implemented a default setting that requires advertisers to opt-in to displaying ads on parked domains, shifting the onus onto the ad campaign manager to actively enable this placement. While intended to curb some forms of abuse, this change might also inadvertently encourage the use of parked domains for malicious purposes if not carefully managed by advertisers. The overall trend, however, remains clear: navigating the internet by typing domain names directly has become a significantly more perilous endeavor.