2 min read

Parked domains now feed scams and malware

A typo in a web address can now send users through hidden ad networks that funnel traffic into scams and malware, says Infoblox’s Renée Burton.

Image: TechRadar

A mistyped web address used to land users on a junk page full of ads. According to Dr. Renée Burton, Vice President of Threat Intel for Infoblox, that same mistake can now push users into a far more opaque system of redirects, auctions, scams, and malware.

Parked domains grew out of typosquatting: registering lookalike addresses to catch users who misspell popular sites. The model was simple. If even 0.1% of the millions visiting amazon[.]com accidentally reached amazn[.]com, the typo traffic could still generate useful ad revenue.

That older system was annoying but visible. Users could usually tell they had ended up on a sparse parked page and back out. Burton argues that the risk has changed because online advertising has changed. Tighter rules around traditional domain monetization have pushed bad actors toward zero-click advertising, also called direct search, where users are redirected instantly instead of seeing a parked page.

Recommended reading

AI won’t replace penetration testers just yet

How typo traffic gets monetized now

What looks like a simple typo can trigger a rapid bidding process in which traffic is bought and sold across multiple ad partners in fractions of a second. Somewhere in that chain, Burton says, legitimate advertising can give way to:

  • fraud
  • scams
  • malware distribution
  • fraudulent software

That path is hard to investigate because each broker, exchange, redirector, or cloaking service sees only part of the journey. Cloaking makes the problem worse by serving different content to different visitors based on factors such as location, browser, and operating system. A researcher might see a harmless page, while another target sees a credential-harvesting scam.

Why DNS is still the key trail

Burton says this abuse creates a blind spot for defenders because the route can change from one user to the next, and evidence may disappear before analysts can reproduce it. But every step still relies on the domain name system (DNS).

By examining historical DNS records and mapping relationships between domains over time, researchers can connect incidents that appear unrelated and identify shared parking providers, cloaking services, and traffic distribution infrastructure. That makes it possible to go beyond blocking one typo domain at a time and instead target the broader network behind the activity.

Burton’s warning is straightforward: the main risk is no longer the typo itself, but the assumption that the infrastructure behind it is harmless. Parked domains, once treated as little more than digital billboards, now offer threat actors access to trusted business models and large volumes of user traffic they can monetize at scale.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via TechRadar

// Keep reading