Most Parked and Typosquatting Domains Now Redirect Visitors to Malware

TL;DR

A study by security firm Infoblox finds that over 90% of parked and typosquatting domains now lead visitors to scams, scareware or malware through chains of redirects. The redirects are often targeted based on IP and device fingerprinting and may behave differently for VPN or non-residential users.

What happened

Researchers at Infoblox ran large-scale experiments over recent months and report that the majority of parked domains — including common misspellings of major websites and expired domains — now redirect visitors to fraudulent or malicious content. Historically, parked sites rarely pushed malware; a 2014 measure put malicious redirection under 5 percent. Infoblox found the pattern has reversed: more than nine out of ten visits to parked names resulted in being sent through chains of redirects that profiled the visitor (via IP geolocation, device fingerprinting and cookies) before delivering scams, scareware, unwanted antivirus subscriptions, or malware. The team observed that the malicious behavior often depends on where the request originates: visits from residential IP addresses typically received harmful redirects, while VPN and non-residential addresses commonly saw benign parking pages. The report documents multiple lookalike domain portfolios and examples, and notes traffic is frequently resold through affiliate networks before reaching the final malicious destination.

Why it matters

• Direct navigation — typing domains manually — is a routine user behavior that increasingly exposes people to malware and scams.
• Typosquatting and expired domains now act as distribution channels for fraud and malware at scale.
• Redirect behavior is adaptive and targeted, meaning ordinary browsing from a home IP or mobile device is more likely to be exploited.
• Traffic reselling through affiliates obscures accountability and complicates efforts to block the ultimate malicious operators.

Key facts

• Infoblox's experiments found over 90% of visits to parked domains were redirected to scams, malware or deceptive content.
• In 2014, parked domains redirected users to malicious sites less than 5% of the time, according to earlier research.
• Parked pages often profile visitors using IP geolocation, device fingerprinting and cookies before choosing a redirect.
• Visits from VPNs or non-residential IP addresses frequently yield benign parking pages, while residential IPs are more often redirected.
• Researchers documented lookalike portfolios including nearly 3,000 domains tied to a single owner, such as scotaibank[.]com and gmai[.]com.
• gmai[.]com was observed to accept incoming email via its own mail server and has been used in business email compromise campaigns, per the report.
• Some redirect chains involve multiple handoffs between domains and affiliate networks before reaching the final malicious page.
• Infoblox noted instances where users attempting to reach government or law-enforcement sites via typos landed on scam pages.
• A domain (domaincntrol[.]com) that differs from a legitimate registrar name by a single character was found to exploit DNS typos; its behavior varied by DNS resolver.

What to watch next

• Whether law enforcement or registrars take coordinated action against identified lookalike domain portfolios (not confirmed in the source).
• Further changes in ad network policies or enforcement that could reduce monetization routes for parked-domain traffic (not confirmed in the source).
• Whether affected parking companies will alter traffic resale practices or tighten vetting of downstream buyers (not confirmed in the source).

Quick glossary

• Parked domain: A registered domain that displays a placeholder page, often used to monetize accidental or type-in traffic with paid links.
• Typosquatting: The practice of registering domain names that are misspellings or lookalikes of popular sites to capture typo-driven traffic.
• Device fingerprinting: A technique that collects information about a visitor's device and browser to create a unique identifier for targeting or tracking.
• DNS resolver: A server that translates human-readable domain names into IP addresses used by machines to locate websites.
• Affiliate network: A marketing channel that buys or resells traffic and pays commissions to partners for directing visitors to advertisers.

Reader FAQ

Are parked domains generally dangerous now?
Infoblox's tests indicate that over 90% of parked domains in their sample redirected visitors to scams or malware, making them far riskier than in prior years.

Does using a VPN prevent these redirects?
The report found parked pages frequently appear benign when accessed via VPNs or non-residential IP addresses, while residential IP visits were more likely to be redirected.

Is Google implicated in the malvertising?
The report does not attribute the malicious activity to specific parking or ad platforms but notes a 2025 Google Ads setting change that may have affected ad placements on parked pages.

Can mistyped email addresses to lookalike domains cause harm?
Yes. The report documents gmai[.]com accepting mail and being used in business email compromise campaigns, indicating misaddressed emails can be intercepted.

Should users stop typing domains directly?
not confirmed in the source

December 16, 2025 42 Comments Direct navigation — the act of visiting a website by manually typing a domain name in a web browser — has never been riskier: A…

Sources

• Most Parked Domains Now Serving Malicious Content
• New research shows most parked domains now expose …
• Parked Domains Become Weapons with Direct Search …

Related posts

• Dismantling Defenses: A Year of Technology Policy Shifts Under Trump
• Reddit asks Australia’s High Court to exclude it from kids’ social ban
• Apple and Google rush emergency patches as zero-days are actively exploited