![\"Figure](\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/domain_parking_figure_1a-v2.jpg\")
\n
![\"Figure](\"\/wp-content\/uploads\/domain_parking_figure_1b.jpg\")
\n<\/div>\nFigure 1. A scan<\/strong><\/a> of ic3[.]org, a lookalike to the FBI Internet Crime Complaint Center website, returned a non-threatening parking page (left) whereas a mobile user was instantly directed to deceptive content in October 2025 (right).<\/p>\n At the heart of the matter is a feature referred to as direct search<\/strong><\/a> or zero click parking<\/strong><\/a>, which is intended to directly deliver users relevant content based on the parked domain name. When a domain owner opts into direct search, traffic to the domain is sold to advertisers who bid on keywords and traffic characteristics. In practice, the site visitor is usually funneled through a series of traffic distribution systems (TDSs) operated by third-party advertising platforms, creating a complex web where a legitimate business model is weaponized for abuse.<\/p>\n The likelihood of encountering malicious content has risen dramatically since a major study was published<\/strong><\/a> over a decade ago. Those researchers, although alarmed by the potential risks, estimated that malicious content was delivered less than 5% of the time via parked domains. We\u2019ve found that the situation is now reversed: malicious content is the norm. Aside from incidental typos, unscrupulous parties purchase formerly legitimate domains or lookalike domains and drive victims to them. Additionally, the rapid proliferation of generative AI tools plays a role in this threat landscape. AI chat systems incorporate internet history into their training models and can include outdated URLs in their answers. When these domains are picked up by bad actors, the seemingly trustworthy AI link can lead users to malicious content<\/strong><\/a>.<\/p>\n In large scale experiments, we found that over 90% of the time, visitors to a parked domain would be directed to illegal content, scams, scareware and anti-virus software subscriptions, or malware, as the \u201cclick\u201d was sold from the parking company to advertisers, who often resold that traffic to yet another party. None of this displayed content was related to the domain name we visited.<\/p>\n The details of the parking threat ecosystem are complex, so to illustrate the risks we will primarily examine a single domain: <redacted>[.]com, a typosquat of the legitimate domain for a large financial institution. Through this example, we\u2019ll demonstrate how accidental typos, or lookalike domains, deliberately placed by cybercriminals can lead to a variety of threats.<\/p>\n <redacted>[.]com is part of a domain portfolio full of lookalikes to major brands, who own some of the most popular sites on the internet. These lookalike domains are not directly parked with a major company. Instead, an intermediary server operates as a simple TDS and will redirect to a standard parking page if the visitor is not from a residential IP address. Otherwise, the domain controller will redirect to one of a few parking companies where even more sophisticated user fingerprinting occurs before the landing page is displayed.<\/p>\n We studied parking platforms, domain portfolio owners, publishers, and advertising networks for their role in delivering malvertising to end users. Sketchy players, along with abused entities, exist in every part of the ecosystem. While the scam or malware comes from the advertiser, we found domain portfolio holders often engage in suspicious practices and are an underreported element of the threat landscape. In this paper, we detail how:<\/p>\n Many thanks to SURBL<\/strong><\/a> for their collaboration in this research. One of the earliest threats we investigated together were domains that were clever lookalikes to major corporations leading through parking platforms and funky captchas to advertisements for a variety of \u201cprivacy\u201d applications. We were able to repeatedly go from a collection of parked domains to the same landing pages. Alarmed, we began to reach out to the parking platforms. Nearly a year later, Trinity Cyber released research<\/strong><\/a> demonstrating that these applications are powerful spyware.<\/p>\n During the past year, we contacted multiple companies in the parking industry to discuss the malvertising we observed through their platforms. Each firm recognized that both domain holders and advertisers could abuse the parking platforms. Even with a desire to help reduce abuse, direct search creates a paradox. The threats are downstream, and since the redirection chains leading to threats can pass through multiple advertising networks, \u201cKnow Your Customer\u201d (KYC) doesn\u2019t extend to these final destinations. Team Internet AG was particularly helpful to us during this investigation.<\/p>\n The malicious activity described in this report is not attributed to any known party. The parking or advertising platforms named in this report were not implicated in the malvertising we observed. In addition, the brands targeted by these malicious actors are innocent parties to an economy that makes accountability very difficult.<\/em><\/p>\n Domains without a current webpage can be monetized by hosting them at a domain parking company that displays ads to visitors, generating passive income for the domain owner. Individuals who invested in domain names for future resale hope to make enough by parking them to pay for their annual domain renewals, and ideally a little extra for themselves. Some investors have large collections of domains; they are called \u201cdomainers\u201d in the industry.<\/p>\n Traditional parking sites show advertisements that the website visitor must click on for the domain holder to be paid. But an alternative \u201czero click\u201d model, referred to as direct search, has been available for years. Advertisers bid on traffic based on a variety of criteria, including keywords, location, and device information. The user will then be redirected to the winning bidder, which might be an advertising network. Trillion Direct explains it this way<\/strong><\/a>:<\/p>\n \u201cDirect navigation search occurs when a user types a keyword-filled domain name into their browser\u2019s address bar. These are high-intent search users who are bypassing search engines because they know exactly what they want, and they want it now.\u201d<\/em><\/p>\n In practice, we found this isn\u2019t true: rarely was the displayed content related to the parked domain name. The advertisements might have been related to the domain keywords a decade ago, but today that simply isn\u2019t the case.<\/p>\n Whatever is advertised, high value domain portfolios can profit tremendously. According to Above.com<\/strong><\/a>, domainers might see an 188% increase in revenue within a few months; see Figure 2. <\/p>\n Figure 2. A monetization case study from Above.com demonstrates that domain portfolio owners can benefit greatly from using direct search.<\/p>\n While Above.com emphasizes \u201cpremium advertisers<\/strong><\/a>,\u201d in practice we found that the traffic was frequently sold to affiliate advertising networks, who often sold the traffic again, meaning that the final advertiser had no business relationship with Above. This disconnect between the parked domain and the advertisement isn\u2019t unique to Above; it was seen in every parking platform we examined.<\/p>\n Recent policy changes by Google may inadvertently increase the risk to users from direct search abuse. Google is the large traffic buyer in the advertising industry. To combat fraud from parked domains, in March 2025, they began requiring advertisers to deliberately \u201copt-in\u201d to parking traffic. Domain investors immediately saw a dramatic reduction in their income. In response, parking platforms like Above recommended that their clients<\/strong><\/a> adopt direct search to maintain a stable income from parked domains. Unfortunately, a greater adoption of direct search as it is today may help domainers but increase the risk for internet users and enterprises.<\/p>\n While threats are delivered by advertisers, domainers can profit enormously from direct search and also play a part in the threat landscape. Researchers in 2014 demonstrated that they could control the flow of traffic from parked domains to advertisements. During our investigation, we identified domainers who appeared to do exactly that. Team Internet referred to this scheme as \u201cwhitewashing\u201d and it is similar to practices associated with master134. We found multiple large domainers, including the one who holds <redacted>[.]com, who actively participated in screening website visits. Some affiliate advertising networks, like RichAds, claim to own portfolios of parked domains and sell traffic from them to their customers.<\/p>\n <redacted>[.]com provides a good demonstration of the many ways that direct search is risky for internet users. We visited this domain hundreds of times and recorded the results. Figure 3 shows some of the redirection paths we observed while simulating different devices and browsers from different locations. The red boxes are domains connected to malware, scams, and deceptive content; the yellow to landing pages irrelevant to the initial domain such as gambling or antivirus; and the purple to the parking page that is essentially a decoy site. This figure reveals the complexity of traffic distribution for parked domains as well as the high level of risk for visitors.<\/p>\n Figure 3: Samples of redirection paths when visiting <redacted>[.]com. Each branch includes a series of domains observed, including the color-coded landing page.<\/p>\n A visit to <redacted>[.]com starts with lightweight fingerprinting. Based on the IP geolocation and user agent (UA) information, the site will either redirect to a stereotypical parking page or into a third-party advertising system. Connecting to the domain from a commercial VPN will display a standard parking page, but visiting from a residential IP address will lead into one of a handful of direct search platforms. In detail, when a user visits <redacted>[.]com:<\/p>\n In over 1000 scans from residential proxies and Tor, we were never sent to a standard parking page, and we never received content related to banking. Instead, our traffic was sold through advertising networks, sometimes several times, before an \u201cadvertisement\u201d was displayed. Approximately 90% of the time we were directed to scams, malware, or unwanted content, but this content never came from a direct advertising partner of the major parking platforms, e.g., Zeropark and Trillion. Instead, it was delivered by downstream advertisers, making it impossible for them to know the identity of the malvertiser, and demonstrating the shortcomings of KYC mechanisms to address cybercrime in the case of direct search. The initial visit was funneled from the domain owner of <redacted>[.]com to one of four platforms: Zeropark<\/strong><\/a>, Trillion Direct Search<\/strong><\/a>, ExplorAds<\/strong><\/a>, and AdventureFeeds<\/strong><\/a>. <\/p>\n Each advertising platform performs fingerprinting and may resell the traffic again as a result. To demonstrate the depth of secondary profiling that these firms conduct, let\u2019s consider a script used by one of the advertising affiliates of ExplorAds. It monitors iframes on the page, collects browser and hardware information, attempts to identify bots, and then sends a base64-encoded fingerprint to their TDS domain. See Figure 4. The data gathered includes:<\/p>\n Figure 4. Device fingerprinting by ExplorAds advertising affiliate, arentmarket[.]com, an unknown actor. This script contains comments in Russian.<\/p>\n After profiling the user’s device, each TDS will redirect the user until they reach a final advertiser. Even then, in many cases, the user sees what advertisers call a pre-landing page, which funnels traffic even further. The click chain often also includes captchas, both real and fake, that limit access to the landing page and drive push notification subscriptions.<\/p>\n The landing pages we observed ranged from irrelevant to suspicious to outright malware. The legitimate sites appear to be decoys, served when some TDS in the redirect chain decided our traffic was bot-generated (in fairness, it was). Some of the landing pages we encountered were:<\/p>\n Occasionally, we were directed to malware. In one example, we were prompted to download an archive file containing a trojan. The lure was hosted at chatterjamtagbirdfile[.]monster. We were led to the payload from both ExplorAds<\/strong><\/a> and AdventureFeeds<\/strong><\/a>.<\/p>\n The chatterjamtagbirdfile[.]monster site said, \u201cYour archive is ready\u201d and gave us instructions to download the file and provided a password for the archive (Figure 5). Clicking the button showed a link to mega[.]nz, a popular file sharing website where the malware was hosted.<\/p>\n Figure 5: chatterjamtagbirdfile[.]monster page leading to Tedy malware<\/p>\n The ZIP<\/strong><\/a> file was not actually password protected. When we extracted it, it contained another archive inside: a .7z file named SourceOpen v.2.4.7z. This archive contained multiple files, a .DLL and an .EXE. Several security vendors\u2019 products detected this as Tedy malware.<\/p>\n Tedy isn\u2019t the only malware being delivered via direct search from parked domains; it is simply the one we saw from this single lookalike domain. We also encountered ClickFix attacks delivering Babar malware, information stealers, and spyware.<\/p>\n Malicious advertisers are one component of the risks associated with visiting parked domains, but they would not receive any traffic without domainers\u2014those who hold investment portfolios of domains that drive traffic through the networks. Domainers often hold large numbers of lookalike domains, particularly ones that are common typos of major brands. Some have tens\u2014or even hundreds\u2014of thousands of domains. Domain monetization is big business<\/strong><\/a> for those who invest wisely.<\/p>\n Our research discovered several large domainers, including the owner of <redacted>[.]com, who appear to be directly involved in user profiling and not directly parking their domains at commercial platforms. These actors use IP geolocation, device fingerprinting, and cookies to determine where to redirect domain visitors. We analyzed their domain portfolios, DNS behavior, and redirection patterns.<\/p>\n The name servers of <redacted>[.]com are subdomains of torresdns[.]com and served nearly three thousand lookalike domains in 2025. While the identity of the domain holder is unknown, we associate the <redacted>[.]com holder with the torresdns[.]com owner based on consistent naming and behavior patterns. The torresdns domain was registered in 2016 but only appears as an authoritative name server starting in late-2019.<\/p>\n So, what other domains are part of the torresdns portfolio? We ran a proprietary lookalike detection algorithm on the domain names and uncovered a high density of typosquats of websites that the average person would visit: Craigslist, YouTube, Google, Wikipedia, and Netflix, to name the most common ones. Craigslist was the most prevalent, with 89 lookalikes. See Figure 6 for a depiction of the top 50 imitated brands.<\/p>\n Figure 6: Visualization of lookalike targets using torresdns[.] name servers, based on prevalence in the dataset.<\/p>\n Torresdns is not a simple domain investor: they actively evaluate visitors to the domains to determine where to forward the traffic. Referring to the sample click chains in Figure 3, security vendors, scanners, and bot traffic are consistently directed from the initial IP address to a traditional parking page hosted by Skenzo. Real users are instead sent into direct search parking systems through HTTP redirect.<\/p>\n Parked domains can be used for other malfeasances as well. The actor also holds gmai[.]com, a lookalike to Gmail and a common typo. This domain is configured with MX records. Email that is accidentally sent to the domain will be delivered to mail.h-email[.]net, which was registered in May 2023 and has no known associations<\/strong><\/a> to legitimate mail services. There are numerous reports of users accidentally<\/strong><\/a> sending<\/strong><\/a> personal<\/strong><\/a> information to a gmai[.]com account.<\/p>\n We also found a significant amount of suspicious and malicious spam in our collections that used the domain. Our investigation into this domain determined that gmai[.]com is not just used for passive email collection but has been actively leveraged in multiple business email compromise campaigns. One campaign we identified was actively operating as of November 2025, using a lure indicating a failed payment with trojan malware attached.<\/p>\n Details of an example email:<\/p>\n\n
Direct Search Parking<\/h3>\n
![\"Figure](\"\/wp-content\/uploads\/domain_parking_figure_2.png\")
<\/p>\nVisitor Profiling<\/h3>\n
![\"Figure](\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/domain_parking_figure_3-scaled-v2.png\")
<\/p>\n\n
\n
\n
![\"Figure](\"\/wp-content\/uploads\/domain_parking_figure_4.png\")
<\/p>\n<redacted>[.]com Landing Pages<\/h3>\n
\n
![\"Figure](\"\/wp-content\/uploads\/domain_parking_figure_5.png\")
<\/p>\n<redacted>.com & Gmai: Held by the Same Lookalike Domainer<\/h3>\n
![\"Figure](\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/domain_parking_figure_6-v2.png\")
<\/p>\n
![\"Figure](\"\/wp-content\/uploads\/domain_parking_figure_7.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/domain_parking_figure_8.png\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/domain_parking_figure_9.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/domain_parking_figure_11.jpg\")
<\/p>\n![\"Figure](\"\/wp-content\/uploads\/domain_parking_figure_12.jpg\")
<\/p>\n