Infoblox Threat Intel has warned that parked web domains are now a significant source of online risk, after research found that more than 90 per cent of visits to such sites redirect users to scams, malware and other malicious content.
The study indicates a sharp reversal in the threat profile of parked domains, which were once regarded as largely benign advertising pages sitting on unused or speculative web addresses.
Infoblox analysts conducted large-scale experiments on traffic to parked domains. They observed that the vast majority of visits no longer resulted in static ad pages. Instead, users were redirected almost immediately to other sites selected through advertising systems.
Many of those redirections led to scareware, fraudulent schemes, illegal content or malware delivery pages. The behaviour affected “direct search” or “zero-click” advertising models, which send visitors to an advertiser’s site automatically rather than waiting for a click on a visible advert.
This model means that a user who mistypes a web address or follows an outdated link can land on a parked domain and be forwarded on without any interaction. The user often sees no indication that an advertising system has intervened.
Infoblox said fraud protection measures on major domain parking platforms now play an unintended role in concealing malicious use. The company reported that these mechanisms filter and shape traffic in ways that make it harder for external security tools and researchers to observe the full range of redirects.
The research also links changes in Google’s advertising policies with a rise in user exposure to parked-domain threats. The details of the policy shifts were not disclosed, but Infoblox said the outcome has been an increase in the volume and impact of harmful redirects.
Infoblox described the current risk as a marked departure from past observations of parked domains.
“A decade ago, research showed that parked domains were mostly harmless and rarely more than digital clutter,” said Dr. Renée Burton, Vice President of Infoblox Threat Intel, Infoblox. “Today, our research shows they’ve become almost exclusively malicious. The transformation is stark: What was once internet background noise is now a largely unrecognised persistent and pervasive threat.”
Abused ad routes
The company’s findings focus on the role of direct search ad feeds that route traffic from parked domains. These feeds sit between domain owners and advertisers. They determine which destination a visitor sees and handle monetisation of each visit.
Infoblox said these mechanisms attract abuse by criminal groups that present themselves as advertisers. These groups buy traffic from domain parking portfolios and then serve scams or malware instead of legitimate commercial offers.
Once a user enters the ad-driven redirect chain, they may pass through several intermediate sites. Each step can load tracking code or scripts. This layered structure complicates incident analysis and makes it difficult for defenders to reconstruct the full path.
Domain portfolio operators
The research identifies three large domain portfolio holders, often referred to as “domainers”, at the centre of the activity. These operators control extensive collections of parked domains and feed their traffic into multiple advertising networks.
Infoblox said these domainers apply advanced tactics to maximise revenue from each visit. The tactics include detailed profiling of visitors, selection of lookalike domains that resemble popular brands, and email collection based on common typing errors in addresses.
The company also observed the use of unusual DNS techniques. These included so-called Fast Flux, where domain names rapidly change their associated IP addresses. That method can make domains harder to track or block, and can distribute traffic across a large pool of servers.
Infoblox reported that each of the three major portfolio holders appears to focus on different brands and demographics. The company said this diversity of targeting broadens the potential victim base and contributes to the difficulty of detection across different sectors.
Limited recourse
The report describes the wider parked-domain ecosystem as opaque. Domain registrars, parking platforms, ad networks, intermediaries and nominal advertisers all play a role in handling a single user’s visit.
Infoblox said this complexity leaves little visibility for end users, enterprises or regulators. It also fragments responsibility for abusive content and complicates the process of reporting and acting on such abuse.
The firm concluded that traditional assumptions about the safety of parked domains are now outdated. It said security teams and policy makers should treat traffic to these domains as a current and persistent threat rather than an ignorable side effect of internet infrastructure.
Burton said the trends observed in the research indicate that abuse of parked domains is likely to continue while current advertising and parking practices remain in place.
Source: https://itbrief.com.au/
