Security analysts say unused domains have shifted from advertising placeholders to active delivery channels for online fraud.
New research has found that more than 90 percent of visits to parked domains now result in exposure to malicious content, including phishing pages, scams, and malware. According to reporting by Cybersecurity News, the study shows a sharp increase compared with findings from earlier years, when fewer than five percent of parked domains were associated with harmful activity. The researchers concluded that parked domains have become a routine part of criminal infrastructure rather than a passive monetization tool.
Parked domains are web addresses without active websites that are typically monetized through advertising services. Over time, these services have adopted direct search advertising, which automatically redirects visitors based on device type, location, and browsing attributes. Threat actors now exploit this system by registering typo-based domains or acquiring expired ones and routing real users to fraudulent content. Security scanners and VPN based visits often show harmless pages, while residential users are redirected through multiple layers to scams or malware. The study documented widespread use of visitor profiling, traffic distribution systems, and fingerprinting scripts that determine which payload is delivered.
Researchers said the infrastructure behind these campaigns shows signs of coordination and long-term management rather than isolated abuse. They identified several large domain portfolio operators controlling thousands of lookalike domains through dedicated name servers. In some cases, the domains closely resembled well-known brands or government services, increasing the likelihood of accidental visits. Analysts noted that fingerprinting techniques collect details such as screen size, browser features, and network characteristics to distinguish real users from automated analysis tools.
According to GBHackers, Google’s recent policy changes requiring advertisers to opt in to parking traffic have had unintended consequences across the domain ecosystem. The shift pushed many domain investors toward direct search parking models, a move that researchers say has increased user exposure to malicious content.
GBHackers reported that attackers most frequently impersonated well-known brands such as Netflix, YouTube, Google, and Newtoki, noting that “as traditional advertising revenue declined, parking platforms actively recommended direct search as an alternative revenue source.” That recommendation, the report said, created conditions where malicious ads could be delivered more easily.
The analysis also pointed out that domain portfolio owners are not passive bystanders. GBHackers noted that some owners “actively participate in user profiling and selective traffic routing,” an underreported role that contributes to the broader threat. As direct search parking grows, the report warned that “even the simplest typo” could expose users to harmful content, calling for greater transparency and coordination across registrars, parking platforms, and security researchers.
They often appear legitimate, receive accidental traffic from typing errors, and can be monetized or abused with little upfront cost.
They use visitor profiling to show benign content to scanners while redirecting real users to harmful pages.
Fake subscription warnings, credential harvesting pages, tech support scams, and malware downloads are frequently observed.
They can block known parking services, monitor DNS queries for lookalike domains, and educate users to verify addresses carefully.
Mobile browsers often hide full URLs, making small spelling differences harder to notice during navigation.