Bold warning: parked domains are increasingly weapons in the online scam ecosystem. Direct navigation—typing a domain into your browser—has never felt riskier. A new study shows that most so‑called parked domains, largely expired or dormant names and common typos of popular sites, now redirect visitors to sites that push scams, malware, or unwanted software.
A striking example: a lookalike domain to the FBI IC3 site displayed a harmless parking page to a mobile user, yet instantly steered them toward deceptive content in October 2025. Parking pages typically exist to monetize stray traffic by presenting links to third‑party sites that have paid to appear there.
About a decade ago, such parked domains had only a small chance of leading to malware—under five percent, even if users clicked nothing on the page. But Infoblox researchers report a reversal: in large‑scale tests, more than 90% of visits to parked domains ended up at illegal content, scams, scareware, or malware—driven by a chain of reallocations where traffic is bought and resold by parking companies.
The danger rises even further depending on how a user connects. If you access a parked domain through a VPN or from a non‑residential IP, the page often remains benign; with a residential IP, or on a mobile device, you’re much more likely to be redirected to malicious content. For example, a mistyped Scotiabank domain (scotaibank[.]com) can show a normal parking page on VPNs but redirects to scams or malware when seen from a typical home IP address. The same pattern applies to many other lookalike domains created by the same operator.
Infoblox’s analysis shows the owner controls roughly 3,000 lookalike domains, including gmai[.]com, which has its own mail server infrastructure. Toss in typos like this and you can end up sending emails to the wrong address, with attackers leveraging these misdirections in business email compromise campaigns that threaten payment integrity and deliver trojan payloads.
The researchers highlight a domain operator, torresdns[.]com, whose typosquat strategy targets dozens of major services—Craigslist, YouTube, Google, Wikipedia, Netflix, TripAdvisor, Yahoo, eBay, Microsoft, and more. They even noted a public list of these typosquatting domains (with dots replaced by commas) for context.
A threat researcher from Infoblox, David Brundson, explained that parked pages routinely funnel visitors through multiple redirects while profiling the visitor’s system via IP geolocation, device fingerprinting, and cookies to optimize where to send them next. Often the path includes one or two intermediaries before the final malicious domain or a decoy page (think Amazon or Alibaba) is chosen.
Parking services claim their results are tailored to the parked domain, but researchers observed that the content shown bears little relation to the actual domain being tested. In one example, a residential IP path directed users to a handful of observed domains and color‑coded landing pages that reveal little relevance to the original domain name.
Another actor, domaincntrol[.]com—which differs from GoDaddy’s name servers by just one character—has exploited DNS misconfigurations to drive users to harmful sites. Recently, this malicious redirect only occurs when the query comes from Cloudflare’s resolver (1.1.1.1); other visitors are met with a page that won’t load.
Even variations of well‑known government domains are now targeted by malicious ad networks. In one incident, a tester attempting to report a crime to the FBI IC3 site landed on ic3[.]org and was quickly redirected to a misleading subscription‑expired page. The same pattern could easily deliver information stealers or trojans rather than legitimate alerts.
Infoblox emphasizes that the observed malvertising activity isn’t tied to a single party. Parking and ad platforms named in the study were not directly blamed for the malvertising; instead, traffic was often sold to affiliate networks who further redistributed it, severing clear business connections between final advertisers and the parking operators.
Additionally, Infoblox points to a Google policy shift that may unintentionally heighten risk for users. Google Ads previously allowed parked pages to host ads by default, but in early 2025 they switched to opt‑out by default, requiring advertisers to actively enable parking in their settings. This change could influence the amount of parked‑domain traffic exposed to malicious actors and the ease with which it is monetized.
