Historically, landing on a parked domain presented a relatively low probability of encountering malicious content. Research conducted in 2014 indicated that less than five percent of parked domains would redirect users to harmful sites, irrespective of whether the visitor clicked on any links. However, Infoblox’s recent extensive experiments paint a starkly different picture. Their findings, detailed in a paper published today, demonstrate a complete reversal of this trend, with over 90% of visitors to parked domains being directed to illegal content, scams, scareware, fraudulent antivirus software subscriptions, or malware. This malicious redirection occurs because the traffic, or "click," is sold from the parking company to advertisers, who often further resell it to other parties down the line.

The security firm’s research highlights a sophisticated profiling process employed by these malicious operations. When users attempt to access expired domains or mistype popular website addresses (a practice known as "typosquatting"), they are often directed to a placeholder page managed by a domain parking company. These companies aim to monetize this errant traffic by displaying links to third-party websites that have paid for placement. However, the Infoblox study found that the actual destinations are far from benign.

A particularly concerning observation is the dynamic nature of these redirects. Infoblox researchers discovered that parked websites appear benign if a visitor accesses them using a Virtual Private Network (VPN) or from a non-residential Internet Protocol (IP) address. Conversely, visitors using a residential IP address, such as those common for home internet users, are immediately subjected to deceptive content. For instance, users who mistype "Scotiabank.com" as "scotaibank[.]com" might see a standard parking page if they are using a VPN. However, if they are using a residential IP address on a desktop or mobile device, they will be redirected to a site pushing scams, malware, or other unwanted material. This redirection happens simply by visiting the misspelled domain, without any user interaction beyond the initial navigation.

The scope of this malicious activity is substantial. Infoblox identified a single entity operating "scotaibank[.]com" who controls a portfolio of nearly 3,000 lookalike domains. This includes a domain like "gmai[.]com," which has been configured with its own mail server. This means that emails sent to a Gmail user with a typo, omitting the "l" from "gmail.com," are not lost or returned as undeliverable but are instead routed directly to these scammers. The report further notes that this domain has been implicated in numerous recent business email compromise (BEC) campaigns, often using lures related to failed payments, with trojan malware attached.

The domain holder responsible for "scotaibank[.]com," identified through a common DNS server ("torresdns[.]com"), has established typosquatting domains targeting a wide array of top internet destinations. This extensive list includes major platforms like Craigslist, YouTube, Google, Wikipedia, Netflix, TripAdvisor, Yahoo, eBay, and Microsoft. A sanitized list of these typosquatting domains, with the dots replaced by commas, has been made available.

David Brunsdon, a threat researcher at Infoblox, explained the complex redirection chain involved. Parked pages often send visitors through a series of redirects, with each hop involving profiling the visitor’s system. This profiling utilizes techniques such as IP geolocation, device fingerprinting, and cookies to determine the most opportune redirection path. "It was often a chain of redirects – one or two domains outside the parking company – before threat arrives," Brunsdon stated. "Each time in the handoff the device is profiled again and again, before being passed off to a malicious domain or else a decoy page like Amazon.com or Alibaba.com if they decide it’s not worth targeting." Brunsdon also pointed out that despite claims from domain parking services that their search results are relevant to the parked domains, the displayed content was rarely related to the actual lookalike domain names tested.

Another notable threat actor identified by Infoblox operates "domaincntrol[.]com," a domain that differs from GoDaddy’s name servers by a single character. This actor has historically exploited typos in DNS configurations to direct users to malicious websites. More recently, Infoblox observed that this malicious redirection now selectively targets visitors using Cloudflare’s DNS resolvers (1.1.1.1), while other visitors receive a page that refuses to load.

The malicious ad networks are not sparing even well-known government domains. In a striking example, researchers attempting to report a crime to the FBI’s Internet Crime Complaint Center (IC3) accidentally navigated to "ic3[.]org" instead of the legitimate "ic3[.]gov." Their mobile device was promptly redirected to a fake "Drive Subscription Expired" page. The report emphasizes that while this instance resulted in a scam, the same infrastructure could easily deliver information stealers or trojan malware.

A crucial aspect of Infoblox’s findings is that the observed malicious activity is not attributed to any specific, known perpetrator. The domain parking or advertising platforms mentioned in the study were not directly implicated in the documented malvertising campaigns. However, the report concludes that while parking companies often claim to work only with reputable advertisers, the traffic generated by these domains is frequently sold down a chain of affiliate networks, ultimately reaching advertisers with whom the parking companies have no direct relationship.

Infoblox also raised concerns that recent policy adjustments by Google may have inadvertently amplified the risks associated with direct search abuse. Brunsdon noted that while Google AdSense previously allowed ads to be placed on parked pages by default, early 2025 saw Google implement a default setting that requires customers to opt-in to present ads on parked domains. This change necessitates advertisers actively configuring their settings to enable parking as a placement option.