The Typosquat Trap: Why 90% of Parked Domains Now Redirect to Malware
Direct navigation—when a user manually types a website address into the browser—has become markedly more dangerous. Researchers at Infoblox have found that the vast majority of “parked” domains are now configured to automatically funnel visitors toward fraudulent pages and malware-laden sites. These include expired or idle domains, as well as typo variants of popular addresses—the very traps users stumble into through a moment’s inattention.
Typically, a visitor landing on such a domain would expect to see a neutral parking-page placeholder: a collection of links designed to monetize stray traffic by selling clicks to advertisers. Yet, as the study’s authors note, the risk landscape has shifted dramatically. A decade ago, the threat was comparatively modest: a 2014 study showed that fewer than 5% of parked domains redirected users to malicious resources—and even then, without requiring any clicks on the page itself.
According to Infoblox, that balance has since inverted. In a series of experiments conducted over recent months, researchers observed that in more than 90% of cases, merely visiting a parked domain resulted in redirection to illicit content, scam schemes, scareware, coercive “antivirus” subscriptions, or outright malware distribution pages. The “click” itself is sold by the parking company to advertisers, who often resell the traffic further along a chain whose final destination can be virtually anyone.
One particularly striking detail is that behavior varies sharply depending on how the domain is accessed. Infoblox reports that parked sites may appear harmless when visited via a VPN or from a non-residential IP address. By contrast, from a typical home connection—on a phone or personal computer—the redirect to suspicious content can trigger instantly, simply because the user typed a mistyped address.
As an illustration, researchers cite the domain scotaibank[.]com, easily mistaken for Scotiabank’s legitimate site. When accessed through a VPN, it displays a standard parking page; from a residential IP, however, it redirects to content attempting to push scams, malware, or other unwanted “offers.” Infoblox notes that the owner of this domain controls a portfolio of nearly 3,000 similar addresses. Among them is gmai[.]com, which, according to the report, is configured with its own mail server to receive incoming messages. In other words, if a sender accidentally omits the “l” in gmail.com, the email does not bounce—it is delivered directly to that domain. Researchers add that gmai[.]com has appeared in several recent business email compromise campaigns, where a lure about a failed payment concealed a trojan in the attachment.
The authors link parts of this infrastructure through a shared DNS server, torresdns[.]com, and report that such domains target dozens of well-known services—from Craigslist and YouTube to Google, Wikipedia, Netflix, TripAdvisor, Yahoo, eBay, and Microsoft. According to Infoblox threat researcher David Bransdon, visitors are pushed through chains of redirects while their devices are quietly profiled using IP geolocation, browser and device fingerprinting, and cookies. Often, the redirect passes through one or two intermediary domains outside the parking provider’s control, with the visitor’s profile refined at each step before they are finally sent to a malicious site—or, if the attack is deemed “unprofitable,” diverted to a decoy such as Amazon or Alibaba.
The report also highlights another actor associated with the domain domaincntrol[.]com, which differs from GoDaddy’s name servers by just a single character and has long exploited DNS typos to siphon traffic toward malicious destinations. In recent months, Infoblox observed that the malicious redirect activated only when requests came from users relying on Cloudflare’s DNS resolvers (1.1.1.1); for others, the page simply failed to load.
Not only brands are at risk, but also addresses that are “almost governmental.” The report recounts a case in which a researcher attempted to report a crime to the FBI’s Internet Crime Complaint Center (IC3) but mistakenly opened ic3[.]org instead of ic3[.]gov—only to be swiftly redirected on a phone to a fake page warning of an “expired Drive subscription.” The authors stress that the individual was fortunate to encounter a scam page rather than malware such as an infostealer or trojan.
Infoblox emphasizes that the malicious activity observed has not been attributed to any known threat group, and the parking services and advertising platforms mentioned in the study are not accused of deliberately orchestrating the documented malvertising. Nonetheless, the report’s conclusion is unsettling: although parking companies claim to work only with major advertisers, in practice traffic is frequently routed through partner networks and resold to such an extent that the ultimate “advertiser” may have no direct relationship with the parking provider at all.
Finally, Infoblox draws attention to recent changes in Google policy that, in the researchers’ view, may have inadvertently increased user risk. Bransdon notes that Google AdSense previously allowed ads on parked pages by default, but in early 2025 Google introduced a setting that disables advertising on parked domains unless publishers explicitly opt in—requiring those who wish to monetize such pages to manually enable parking as an ad placement.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
