The Rise of Typosquatting and Malvertising
Direct navigation, the act of visiting a website by manually typing a domain name in a web browser, has never been riskier. According to a new study published today by Infoblox, the majority of parked domains are now configured to redirect visitors to sites that serve scams, malware, and other unwanted content.
Back in Time
A decade ago, ending up at one of these parked domains came with a relatively small chance of being redirected to a malicious destination. In 2014, researchers found that parked domains redirected users to malicious sites less than five percent of the time.
Present Day
Today, Infoblox’s experiments show that malicious content is now far more common for parked websites. Over 90% of visitors to parked domains are directed to illegal content, scams, scareware, and malware as the click is sold from the parking company to advertisers.
The Typosquatting Threat
Infoblox found that parked websites are benign if the visitor arrives at the site using a virtual private network (VPN) or else via a non-residential Internet address. For example, Scotiabank.com customers who accidentally mistype the domain as scotaibank[.]com will see a normal parking page if they’re using a VPN, but will be redirected to a site that tries to foist scams, malware, or other unwanted content if coming from a residential IP address.
The Domain Ownership
The person or entity that owns scotaibank[.]com has a portfolio of nearly 3,000 lookalike domains. One such domain is gmai[.]com, which demonstrably has been configured with its own mail server for accepting incoming email messages. If you send an email to a Gmail user and accidentally omit the ‘l’ from ‘gmail.com’, that missive doesn’t just disappear into the ether or produce a bounce reply: It goes straight to these scammers.
The Redirect Chain
Infoblox found that parked pages send visitors through a chain of redirects, all while profiling the visitor’s system using IP geolocation, device fingerprinting, and cookies to determine where to redirect domain visitors. This chain can include one or two domains outside the parking company before threat arrives.
The Impact on Users
When one of Infoblox’s researchers tried to report a crime to the FBI’s Internet Crime Complaint Center (IC3), they accidentally visited ic3[.]org instead of ic3[.]gov. Their phone was quickly redirected to a false ‘Drive Subscription Expired’ page. They were lucky to receive a scam; based on what we’ve learnt, they could just as easily receive an information stealer or trojan malware.
The Implications for Cybersecurity
Infoblox’s findings emphasize that the malicious activity they tracked is not attributed to any known party. The parking companies claim to only work with top advertisers, but the traffic to these domains was frequently sold to affiliate networks, who often resold the traffic to the point where the final advertiser had no business relationship with the parking companies.
Google’s Role in the Change
Infoblox also pointed out that recent policy changes by Google may have inadvertently increased the risk to users from direct search abuse. Google Adsense previously defaulted to allowing their ads to be placed on parked pages, but in early 2025 Google implemented a default setting that had their customers opt-out by default.
Articles connexes
