A decade ago, parked domains were digital placeholders showing generic ads. Today, over 90% redirect visitors to scams, malware, or phishing pages.
The humble typo has become surprisingly dangerous. Type “goggle.com” instead of “google.com,” misremember a brand’s exact domain, or fat-finger a URL on a mobile keyboard, and you’re no longer likely to land on a benign page of advertisements. New research from Infoblox reveals that more than 90% of parked domain visits now redirect users to scams, malware, or credential harvesting sites.
This represents a fundamental shift in threat landscape. A decade ago, fewer than 5% of parked domains served malicious content. Domain portfolio holders, known as “domainers,” monetized their inactive properties through advertising networks that displayed relatively harmless commercial content. The worst outcome for an accidental visitor was typically exposure to low-quality ads.
That equilibrium has collapsed. The advertising ecosystem changes that were meant to improve quality have inadvertently weaponized millions of dormant domains, turning the internet’s forgotten real estate into a minefield for anyone who makes a spelling mistake.
How parked domains became weapons
The transformation began with changes in how parked domains generate revenue. Traditional domain parking displayed static advertisements when someone visited an inactive domain. The domainer earned small amounts per impression, and the visitor saw ads for products vaguely related to the domain’s keywords.
The newer model, known as “direct search” or “zero-click” parking, operates differently. Instead of showing static ads, these systems instantly redirect visitors through complex chains of traffic distribution systems (TDSs), where advertisers bid for incoming traffic in real-time auctions. The visitor never sees a parked page at all. They’re immediately sent wherever the highest bidder directs them.
This architecture creates the perfect conditions for abuse. Legitimate advertisers compete alongside malicious actors for traffic. The multiple layers of redirection obscure accountability. By the time someone realizes they’ve landed on a phishing site, they’ve passed through several intermediaries, none of whom bear clear responsibility for the final destination.
The fraud protection mechanisms used by parking platforms inadvertently help attackers avoid detection. These systems identify security researchers and automated scanners, serving them benign content while directing real users to malicious destinations. The same tools designed to verify human visitors become shields for criminal activity.
The Google policy paradox
In March 2025, Google implemented advertising policy changes requiring advertisers to explicitly opt in to receiving parking traffic. The intention was to improve ad quality by giving advertisers more control over their traffic sources.
The unintended consequence proved damaging. Many domain portfolio owners, cut off from traditional parking revenue, switched to direct search systems to maintain profitability. These alternative monetization channels carried significantly higher rates of malicious content. The third-largest supply-side platform saw malvertising rates exceed 10% following the transition.
The policy change that was meant to clean up the advertising ecosystem ended up pushing traffic toward less regulated channels where malware and scams flourished. Domain owners seeking legitimate revenue unknowingly became conduits for fraud.
Typosquatting meets malicious monetization
The parked domain threat intersects dangerously with typosquatting, where attackers register domains that are common misspellings of legitimate brands. A domain like “amazn.com” or “paypa1.com” might sit dormant for months, appearing to be just another speculative domain registration. Then, when traffic spikes, perhaps during a major sale or promotional event, the redirect chain activates.
Infoblox researchers identified three major domain portfolio holders using advanced tactics to maximize malicious traffic. These operators profile visitors to determine whether they’re security researchers or real targets. They exploit lookalike domains systematically, registering variations of popular brands. They collect email addresses from typo-based domains, potentially building lists for future phishing campaigns.
One particularly concerning example involved “ic3.org,” a domain mimicking the FBI’s Internet Crime Complaint Center at ic3.gov. Visitors, especially those on mobile devices, were redirected to scam pages. Users seeking to report cybercrime instead became potential victims of it.
The targeting extends to DNS behavior. Some operators began answering DNS queries exclusively from Cloudflare’s 1.1.1.1 resolver, effectively singling out users of one of the most widely used secure DNS services. This level of sophistication suggests well-resourced operations, not opportunistic criminals.
The brand protection challenge
challenge. Thousands of domains incorporating your brand name may exist in various states of activity. Most genuinely are dormant, held by speculators hoping to sell them. But any of them could activate malicious redirects without warning.
Traditional domain monitoring focuses on newly registered domains and active websites. Parked domains often slip through because they appear inactive. The domain has been registered for years. The WHOIS information may look legitimate. No website content exists to analyze. Then one day, someone types it accidentally and finds themselves on a credential harvesting page that perfectly mimics your login portal.
The challenge compounds when considering the volume. Major brands face thousands of typosquatted and cybersquatted variations. Monitoring all of them continuously requires substantial resources. Distinguishing truly dormant domains from those weaponized through direct search systems requires understanding the underlying monetization infrastructure, not just the domains themselves.
Defensive measures
Organizations can reduce parked domain risk through several approaches, though none provides complete protection.
Defensive domain registration secures the most obvious typos and variations of primary brand domains. This becomes expensive quickly given the number of possible variations, but protecting the highest-traffic typos reduces the attack surface.
DNS-level blocking can prevent employees and managed devices from reaching known parked domains. Enterprise DNS security solutions increasingly categorize parked and newly registered domains as high-risk, blocking access by default.
User education about typosquatting and the risks of manually typing URLs helps, though it cannot address every scenario. Encouraging bookmark usage for frequently accessed sites reduces exposure to typo-based attacks.
Continuous monitoring tracks domains referencing your brand for changes in behavior. A parked domain that suddenly begins resolving to active infrastructure deserves investigation.
For security teams concerned about how attackers leverage legitimate infrastructure to hide malicious activity, our analysis of dynamic DNS abuse explores related techniques where criminals exploit trusted services.
The Bottom Line
Parked domains have transformed from digital placeholders into active threat vectors. The shift from static parking pages to direct search redirects created an ecosystem where malicious actors compete alongside legitimate advertisers for traffic, and the traffic they win often comes from users who simply made a typing error.
The 90% malicious rate identified by Infoblox represents a dramatic shift from the relatively benign parked domain landscape of a decade ago. For organizations protecting their brands and customers, this means treating dormant domains with the same suspicion as active phishing infrastructure. The domain that appeared harmless yesterday may be redirecting to a credential harvesting page today.
Key Takeaways
Research from Infoblox found that over 90% of parked domain visits now redirect to scams, malware, or phishing pages. This is a dramatic increase from less than 5% a decade ago.
Direct search parking instantly redirects visitors through traffic distribution systems where advertisers bid for traffic in real-time. Unlike traditional parking that showed static ads, visitors are immediately sent to the highest bidder’s destination, which may be malicious.
Google’s March 2025 advertising policy requiring opt-in for parking traffic caused many domain owners to switch to direct search systems. These alternative channels carried higher malvertising rates, with one major platform seeing rates exceed 10%.
Typosquatted domains that mimic brand names often appear dormant until activated. When visitors mistype a URL, they may be redirected through parked domain infrastructure to phishing or scam sites, making simple typing errors increasingly dangerous.
Defense strategies include defensive domain registration for common typos, DNS-level blocking of parked domains, user education about typing URLs carefully, and continuous monitoring for domains referencing your brand that change behavior.
