Allure Security Navigation Logo

Many brands end up confused about how best to address parked domains with names similar to their own. Some customers have come to us with a parked domain that could be mistaken for theirs, asking us to have it taken down. Unfortunately, it’s not that simple. If a domain doesn’t display any content, it’s difficult to prove that it’s malicious or that the owner has malicious intent. Luckily, there are steps brands can take to mitigate the risk posed by parked domains. We have helped a number of brands with their approach to these trickier, nuanced brand impersonation risks.

A parked domain is a domain that someone has registered, but it does not point to a website or any content. In many cases, such a domain only displays a generic registrar page or an error that the site can’t be reached. While seemingly harmless, you’ll come to understand (if you don’t already) that such parked domains still present a threat to your brand and customers.

Parked domains with names similar to your brand’s can threaten your reputation and customers, and you can’t afford to ignore them. Luckily, automating the continual monitoring of these domains is a relatively simple-to-implement first step in staying ahead of fraudsters that use them.

What is domain parking or a parked domain?

The ICANNWiki defines a parked domain as a domain that does not have content. A parked domain is registered by an individual, but does not typically include original digital content. 

A domain may be parked because:

  • Registrant wants to generate revenue by publishing advertising content
  • Website is still in development
  • Registrant wants to reserve a domain for future use
  • Domain name has expired
  • Registrant wants to prevent malicious actors from registering the domain

Many times parked domains will simply display a generic message from the registrar or a seemingly innocuous “this site cannot be reached” when visited.

How do fraudsters use parked domains for malicious purposes?

The majority of parked domains remain benign or eventually become legitimate websites. On the flip side, however, Emotet – one of the most prevalent malwares currently known – used parked domains as a distribution channel in 2020. 

Scammers use domain parking in their fraud schemes for multiple reasons including:

  • Redirecting to malicious pages/content
  • Eventually publishing malicious content on the domain itself (e.g., a phishing page)
  • Appearing as a legitimate sender of phishing emails

Scammers will also park domains for a period of time to circumvent detection. Some domain monitoring solutions evaluate newly registered domains for a limited period of time, eventually removing them from the scanning regimen. As you might imagine, that’s the perfect time for a fraudster to then launch a phishing site.

Brands also come to us because they notice an MX record associated with a parked domain named similarly to their brand’s. This is good reason to suspect whomever owns said parked domain plans to send, or is sending, phishing messages purporting to be from the brand. 

What’s risky about a parked domain name similar to yours that includes an MX record?

A mail exchange record (MX record) is part of the Domain Name System that identifies e-mail servers on the Internet. An MX record defines the host/server that will accept e-mail sent to its associated domain. 

A parked domain with an MX record can send email from said domain for phishing purposes. A parked domain doesn’t always publish content and so, depending on your brand impersonation detection methods, the domain may appear harmless to the novice eye.

What about SPF, DKIM, and DMARC?

Brands often ask us about these protocols, and it’s easy to be confused about what they can and cannot do. Preventing email sender and message forgery with the triple-threat – Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) – is great practice and everyone should implement them if they haven’t already.

Unfortunately SPF, DKIM, and DMARC only mitigate the risk of someone sending a forged email from a specific domain that you own. They do not prevent someone from sending email from a different domain which could be mistaken for yours.

Challenges in responding to potentially malicious, parked domains

One of the top 25 U.S. banks recently approached Allure Security for help with a number of parked domains they believed were a precursor to or actively phishing their customers via email. Because the parked domains didn’t publish content, registrars and/or hosts would not take action on the domains because the domains were not necessarily breaking any established “rules of the Internet.” There’s no evidence of malicious intent.

A Uniform Domain Name Dispute Resolution Policy (UDRP) filing also requires that the complainant (filer) prove that the owner of the disputed domain is using that domain “in bad faith.” Bad faith is defined as “tak[ing] unfair advantage of or otherwise abus[ing] a complainant’s mark.” According to the policy, evidence typically consists of dated screenshots of the offending website. On most parked domains, there’s no content to be screenshotted.

Added to the difficulty of gathering evidence of malicious intent for a parked domain, the UDRP process takes time – at least 60 days in most cases. Every day that a potential phishing domain remains online means more potential victims, more potential fraud, and more damage to your brand.

Options for responding to problematic parked domain boil down to three:

  1. UDRP filing – If you can find the contact information for the owner of a parked domain (harder and harder these days) – send them a letter
    1. Then wait up to 20 days for them to respond
    2. Wait at least another 40 days for arbitration of your case (and pay fees to lawyers/arbiters all the while)
    3. Risk losing your original case
    4. Repeat ad infinitum because it’s inexpensive for scammers to just move on to the next domain, over and over
    5. This is not a good approach to potential or active phishing threats. It’s reactive, expensive, and never-ending.
  2. Continual monitoring – Keep a constant eye on any parked domain so that if it transitions into a scam, you can take action immediately. This is an imperative aspect of best practice.
  3. Ignore themThis is a bad idea for obvious reasons previously mentioned. You wouldn’t be reading this article if you didn’t know that you ignore parked domains at your own peril.

What should you do about parked domains?

Despite the challenges and seeming futility of combatting suspicious parked domains, brands can take steps to mitigate the risk. Perhaps most importantly, don’t ignore them. A parked domain may transform into a malicious site at any time. Visibility alone is helpful.

Some steps brands can take to respond to problematic parked domains include:

  1. Realize, if you don’t already, that reaching out to registrars or hosting providers about a parked domain will not bear fruit – time, energy, money is better spent elsewhere
  2. Automate the monitoring of such domains with regular frequency so you can take action immediately if/when malicious content is posted
  3. Add the domain to your blocklist for the mailers you control – keep in mind this only protects employees within your “walled garden,” and not your customers outside its walls
  4. Make it clear to customers where to send examples of emails so that you can gather evidence – but this is not something to be counted on

Long story short, best practice is to maintain visibility of suspicious parked domains because they can become an active threat to your brand and customers at any time.

What You Should Do Next

  • See how your brand protection efforts compare with best practices using our free Busy Person’s Guide to Online Brand Protection.
  • Learn about Allure Security being recognized in the Gartner® 2022 Emerging Tech: Adoption Growth Insights in Digital Risk Protection Services Report and what sets us apart on our blog.
  • If you need help with a cost-effective approach to identifying, monitoring, and responding to potentially malicious domain parking, contact us.

Post Date