Direct navigation — the act of visiting a website by manually typing a domain name in a web browser — has never been riskier: A new study finds the vast majority of “parked” domains — mostly expired or dormant domain names, or common misspellings of popular websites — are now configured to redirect visitors to sites that foist scams and malware.
A lookalike domain to the FBI Internet Crime Complaint Center website, returned a non-threatening parking page (left) whereas a mobile user was instantly directed to deceptive content in October 2025 (right). Image: Infoblox.
When Internet users try to visit expired domain names or accidentally navigate to a lookalike “typosquatting” domain, they are typically brought to a placeholder page at a domain parking company that tries to monetize the wayward traffic by displaying links to a number of third-party websites that have paid to have their links shown.
A decade ago, ending up at one of these parked domains came with a relatively small chance of being redirected to a malicious destination: In 2014, researchers found (PDF) that parked domains redirected users to malicious sites less than five percent of the time — regardless of whether the visitor clicked on any links at the parked page.
But in a series of experiments over the past few months, researchers at the security firm Infoblox say they discovered the situation is now reversed, and that malicious content is by far the norm now for parked websites.
“In large scale experiments, we found that over 90% of the time, visitors to a parked domain would be directed to illegal content, scams, scareware and anti-virus software subscriptions, or malware, as the ‘click’ was sold from the parking company to advertisers, who often resold that traffic to yet another party,” Infoblox researchers wrote in a paper published today.
Infoblox found parked websites are benign if the visitor arrives at the site using a virtual private network (VPN), or else via a non-residential Internet address. For example, Scotiabank.com customers who accidentally mistype the domain as scotaibank[.]com will see a normal parking page if they’re using a VPN, but will be redirected to a site that tries to foist scams, malware or other unwanted content if coming from a residential IP address. Again, this redirect happens just by visiting the misspelled domain with a mobile device or desktop computer that is using a residential IP address.
According to Infoblox, the person or entity that owns scotaibank[.]com has a portfolio of nearly 3,000 lookalike domains, including gmai[.]com, which demonstrably has been configured with its own mail server for accepting incoming email messages. Meaning, if you send an email to a Gmail user and accidentally omit the “l” from “gmail.com,” that missive doesn’t just disappear into the ether or produce a bounce reply: It goes straight to these scammers. The report notices this domain also has been leveraged in multiple recent business email compromise campaigns, using a lure indicating a failed payment with trojan malware attached.
Infoblox found this particular domain holder (betrayed by a common DNS server — torresdns[.]com) has set up typosquatting domains targeting dozens of top Internet destinations, including Craigslist, YouTube, Google, Wikipedia, Netflix, TripAdvisor, Yahoo, eBay, and Microsoft. A defanged list of these typosquatting domains is available here (the dots in the listed domains have been replaced with commas).
David Brunsdon, a threat researcher at Infoblox, said the parked pages send visitors through a chain of redirects, all while profiling the visitor’s system using IP geolocation, device fingerprinting, and cookies to determine where to redirect domain visitors.
“It was often a chain of redirects — one or two domains outside the parking company — before threat arrives,” Brunsdon said. “Each time in the handoff the device is profiled again and again, before being passed off to a malicious domain or else a decoy page like Amazon.com or Alibaba.com if they decide it’s not worth targeting.”
Brunsdon said domain parking services claim the search results they return on parked pages are designed to be relevant to their parked domains, but that almost none of this displayed content was related to the lookalike domain names they tested.
Samples of redirection paths when visiting scotaibank dot com. Each branch includes a series of domains observed, including the color-coded landing page. Image: Infoblox.
Infoblox said a different threat actor who owns domaincntrol[.]com — a domain that differs from GoDaddy’s name servers by a single character — has long taken advantage of typos in DNS configurations to drive users to malicious websites. In recent months, however, Infoblox discovered the malicious redirect only happens when the query for the misconfigured domain comes from a visitor who is using Cloudflare’s DNS resolvers (1.1.1.1), and that all other visitors will get a page that refuses to load.
The researchers found that even variations on well-known government domains are being targeted by malicious ad networks.
“When one of our researchers tried to report a crime to the FBI’s Internet Crime Complaint Center (IC3), they accidentally visited ic3[.]org instead of ic3[.]gov,” the report notes. “Their phone was quickly redirected to a false ‘Drive Subscription Expired’ page. They were lucky to receive a scam; based on what we’ve learnt, they could just as easily receive an information stealer or trojan malware.”
The Infoblox report emphasizes that the malicious activity they tracked is not attributed to any known party, noting that the domain parking or advertising platforms named in the study were not implicated in the malvertising they documented.
However, the report concludes that while the parking companies claim to only work with top advertisers, the traffic to these domains was frequently sold to affiliate networks, who often resold the traffic to the point where the final advertiser had no business relationship with the parking companies.
Infoblox also pointed out that recent policy changes by Google may have inadvertently increased the risk to users from direct search abuse. Brunsdon said Google Adsense previously defaulted to allowing their ads to be placed on parked pages, but that in early 2025 Google implemented a default setting that had their customers opt-out by default on presenting ads on parked domains — requiring the person running the ad to voluntarily go into their settings and turn on parking as a location.
Could you give us non-techy people suggestions on how to avoid these parked domaines?
Use your favorites to get to sites you often use?
Use a VPN?
Anything else?
I’m not one of those people who urges everyone to use a VPN for everything, mainly because most VPN providers are trash. But in this case it obviously would help. So would relying on bookmarks for important/frequently visited sites.
Thanks, Bryan. I always use bookmarks for frequently visited sites.
‘Bryan’ Krebs is a typo, so demonstrated…
Using a password manager can help too! It stores the web site so first I open the password manager then use that to launch a known good site and then my password can be entered with no chance of a typo.
And a relatively small but not infinitesimal chance of the pw manager itself being rooted…
One should be careful what he types. Typing directly into the browser still is THE most secure way to visit the websites. Following links is not, by far.
> Typing directly into the browser still is THE most secure way
Direct typing does not address the problem of typo squatting on similar domain names. Saying “Be careful” ignores real life where you’re distracted and in a hurry. Carefully type and double check, then use the browser’s bookmark feature.
Not for me. I’m dyslexic and often transpose letters. When I reread them, they can look fine to me. A trusted bookmark has always been my best bet. That and a good browser security. Malwarebytes Browser Guard has been my go-to for several years.
I have BitDefender anti-virus and when I visit one of these parked sites I at least get a warning that it is a phishing page.
There are browser plugins from malwarebytes and bitdefender and eset and others, all free, which do exactly that. You don’t have to have the full subscription product, they are standalone.
Recently I have had this experience multiple times while using Google or Chrome on either my desktop PC or on my iPhone. After typing the name of the corporate or retail website that I wanted to visit, Google would offer up a list of choices that included fake websites that were located at the very top of the list of page offerings. As a very advanced and educated computer tech, I can quickly spot the fakes but I am positive that many other people do not possess my level of knowledge and skills.
First time testing NextDNS ‘Block Parked Domains’ and scotaibank[.]com still loaded at home. On Browserling I just got a normal parked page. Guess I can’t really rely on that feature alone…
Is there no authority that can investigate such obviously ill-intentioned practices?
ic3[.]org?
That’s exactly what I was thinking, ‘there ought to be a law’… robots can easily find sites serving up malware and hosts can easily be pressured as locally applicable to take them down. Why isn’t that the norm, instead of the MAJORITY of such sites serving up whatever they want with hardly an official notice? Put even a small bounty on such activities and someone can make a tidy profit from cleaning the public pool that is our web.
Ooh ooh, I know! Let’s add checksum digits to every domain name, to detect bad names. Just like the last 4 on a credit card number. Or like should be added to Social Security Numbers.
This section confused me:
“Google may have inadvertently increased the risk to users from direct search abuse. […] in early 2025 Google implemented a default setting that had their customers opt-out by default on presenting ads on parked domains”
It didn’t seem obvious to me how this would lead to an increased risk, and the term direct search wasn’t introduced in the article.
In case anyone else did a double take on that paragraph, here’s what I gathered from the source: Google ads are a major revenue stream for many owners of parked domains, and this new default setting drastically reduces the ads they get to show. In response, many domain owners/squatters switched to a model called direct search, in which visitors are redirected to a highest-bidder site, a model which is more susceptible to scam and malware referrals than Google ads. So the risk increase here is indirect, by nudging owners of parked domains towards relatively more abuse-prone monetisation options.
OpnSense firewalls have optional Zenarmor security that includes blocking parked domains. Occasionally is misidentifies a domain as parked when it’s really part of a legit process’s infrastructure. You can add such a domain to the “allow list” and contact the legit service to tell them so they can hopefully address it. But I haven’t had to do that more than 2 or 3 times. How do you know when it happens? You can’t reach a site or an app doesn’t work, then you look at Zenarmor in the firewall.
Zenarmor has a home-user $99/year plan (I use it) and a small business $540/yr plan (a client uses it).
OpnSense is open source software you can install on a wide variety of hardware of your choice or you can buy a complete OpnSense firewall from various sources including shop.opnsense.com.
Before the tarrif stupidity, I bought the Dutch-made DEC 850 and run it with the “community” free version of software, and I pay Zenarmor $99/yr for a personal subscription. I also replaced a small business’s SonicWall firewall with a DEC 850.
OpnSense also includes Wireguard VPN instead of old perpetually vulnerable SSLVPN and similiarly exploited VPN included with SonicWall firewalls (though SonicWall vpn server products offer WireGuard also).
OpnSense is based on FreeBSD UNIX and split from pfSense years ago. It’s vastly superior in my experience struggling with pfSense.
Zenarmor runs on lots of different hardware but I’ve only used it in OpnSense. According to its doc, it runs on OPNsense, FreeBSD, Ubuntu Linux, OpenWRT, Debian Linux and pfSense.
Note that you can install free OpenWRT in your low-cost router to replace its shaky operating system. Then you can run Zenarmor.
Remember, though, that the more security stuff you enable in your firewall, the more it slows internet traffic as its processing everything as it comes in, unless it’s powerful enough everything and without decreasing your internet traffic speed.
When choosing hardware for a firewall, make sure to read its throughput rate when under heavy security load and VPN load, not just its general throughput. E.g., its specs might show it handles 17 gbps throughput, all right! but only 2.5 gbps “threat protection throughput” and 2 gbps for IPSecVPN. That’s still good and overkill for a 1gbps internet connection but if you have 10gbps, that’s not fast enough. Just look for the slowest X gbps throughput in the specs instead fo the fastest.
You’ll find this out the hard way like I did when you turn on lots of cool firewall security features then watch your internet speed fall unless your firewall’s got enough power.