Manually typing a domain name into a web browser, known as direct navigation, has become increasingly risky. A new study indicates that the vast majority of “parked” domains—which are often expired or dormant domain names, or common misspellings of popular websites—are now set up to redirect visitors to sites promoting scams and malware.
A lookalike domain to the FBI Internet Crime Complaint Center website, returned a non-threatening parking page (left) whereas a mobile user was instantly directed to deceptive content in October 2025 (right). Image: Infoblox.
When internet users attempt to visit expired domain names or accidentally navigate to a lookalike “typosquatting” domain, they typically land on a placeholder page managed by a domain parking company. These companies aim to monetize the traffic by displaying links to various third-party websites that have paid for visibility.
A decade ago, encountering one of these parked domains carried a relatively low risk of being redirected to a malicious destination. In 2014, researchers found (PDF) that parked domains redirected users to malicious sites less than five percent of the time, regardless of whether any links on the parked page were clicked.
However, recent experiments conducted by the security firm Infoblox reveal a complete reversal of this situation, with malicious content now being the predominant outcome for parked websites.
Infoblox researchers stated in a published paper that their large-scale experiments showed over 90% of the time, visitors to a parked domain were directed to illegal content, scams, scareware, antivirus software subscriptions, or malware. This occurs as the ‘click’ is sold from the parking company to advertisers, who frequently resell that traffic to additional parties.
Infoblox discovered that parked websites often appear benign if the visitor uses a virtual private network (VPN) or a non-residential internet address. For example, a Scotiabank.com customer who mistakenly types scotaibank[.]com will see a standard parking page when using a VPN. However, if accessing from a residential IP address, the user will be redirected to a site attempting to deliver scams, malware, or other unwanted content. This redirection happens simply by visiting the misspelled domain on a mobile device or desktop computer with a residential IP.
According to Infoblox, the owner of scotaibank[.]com manages a portfolio of nearly 3,000 lookalike domains, including gmai[.]com. This particular domain has been configured with its own mail server to accept incoming email messages. This means an email sent to a Gmail user that accidentally omits the ‘l’ from ‘gmail.com’ will not disappear or bounce, but instead go directly to these scammers. The report also notes that this domain has been used in multiple recent business email compromise campaigns, often with lures indicating a failed payment and attaching trojan malware.
Infoblox identified that this specific domain holder, identifiable by a common DNS server (torresdns[.]com), has established typosquatting domains targeting dozens of leading internet destinations, such as Craigslist, YouTube, Google, Wikipedia, Netflix, TripAdvisor, Yahoo, eBay, and Microsoft. A defanged list of these typosquatting domains is available here (dots in the listed domains have been replaced with commas).
David Brunsdon, a threat researcher at Infoblox, explained that parked pages route visitors through a series of redirects, continuously profiling the visitor’s system using IP geolocation, device fingerprinting, and cookies to determine the final redirection destination.
Brunsdon noted, “It was often a chain of redirects—one or two domains outside the parking company—before the threat arrives. Each time in the handoff the device is profiled again and again, before being passed off to a malicious domain or else a decoy page like Amazon.com or Alibaba.com if they decide it’s not worth targeting.”
Brunsdon also mentioned that while domain parking services claim the search results on parked pages are relevant to their domains, almost none of the displayed content was related to the lookalike domain names tested.
Samples of redirection paths when visiting scotaibank dot com. Each branch includes a series of domains observed, including the color-coded landing page. Image: Infoblox.
Infoblox also identified another threat actor owning domaincntrol[.]com—a domain differing from GoDaddy’s name servers by a single character. This actor has long exploited DNS configuration typos to direct users to malicious websites. Recently, Infoblox discovered that the malicious redirect only occurs when the query for the misconfigured domain originates from a visitor using Cloudflare’s DNS resolvers (1.1.1.1); other visitors receive a page that fails to load.
Researchers found that even variations of well-known government domains are being targeted by malicious ad networks.
The report highlights an instance where an Infoblox researcher, attempting to report a crime to the FBI’s Internet Crime Complaint Center (IC3), accidentally visited ic3[.]org instead of ic3[.]gov. The researcher’s phone was quickly redirected to a fraudulent “Drive Subscription Expired” page. The report emphasizes that receiving a scam was fortunate, as an information stealer or trojan malware could have been delivered just as easily.
The Infoblox report clarifies that the malicious activity tracked is not attributed to any known party, and the domain parking or advertising platforms mentioned in the study were not implicated in the malvertising documented.
However, the report concludes that despite parking companies claiming to work only with top advertisers, traffic to these domains was frequently sold to affiliate networks, which often resold the traffic to the extent that the final advertiser had no direct business relationship with the parking companies.
Infoblox also noted that recent policy changes by Google may have unintentionally increased user risk from direct search abuse. Brunsdon stated that Google Adsense previously defaulted to allowing ads on parked pages, but in early 2025, Google implemented a default setting requiring customers to opt-out by default from presenting ads on parked domains. This change now requires advertisers to voluntarily enable parking as an ad placement location in their settings.
