Skip to main content
close search
site logo
Dive Brief

Parked domains are simple but effective distributors of phishing, malware

Published Nov. 2, 2020
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Flcikr user Yuri Samoilov

Dive Brief:

  • Palo Alto Networks' Unit 42 uncovered 5 million "newly parked domains," or registered domain names waiting for use or service, between March and September 2020. Another 6 million parked domains shifted categories, 31% became "suspicious," Unit 42 found.
  • One percent, or 60,000, parked domains gained a "malicious" label, which includes phishing or malware. Parked domains are eight times more likely to shift from a benign category to a dangerous one. 
  • Nearly one-third of those "malicious" parked domains did so less than 10 days after becoming parked. By comparison, benign domains remain parked for 60-69 days. "We conjecture that many cybercriminals do not age their domains," which helps avoid detection, according to the report. 

Dive Insight:

Malicious parked domains can serve as an entrypoint for malware. While phishing and ransomware are tied to malicious domain parking, they are not entirely dependent on each other. 

Phishing spiked at the onslaught of the pandemic, and for criminals, "why try anything else if that works?" said Ruian Duan, staff security researcher at Palo Alto Networks' Unit 42. "We expect to keep seeing the same issues heading into 2021." 

On its surface, parked domains appear like dormant threats. Companies park their domain names for a number of reasons and benefits, such as gaining traffic-generated revenue or increasing the value of a domain by holding onto it. 

When done legitimately, parking services "will either present visitors with a list of advertisements or automatically redirect users to advertisers' webpages," according to Unit 42. The owner of the domain gets paid when users engage with ads. With enough traffic, the owner can sell the domain for its increased value. 

Domain parking is just as useful for bad actors. 

Criminals who are domain parking leverage common spelling errors, such as adding an additional "i" when searching for "Xfinity," according to the report. The redirect to a malicious "xifinity[.]com" website, presented users with a fake message from McAfee, saying their security subscription expired. "We believe that attackers are abusing McAfee's affiliate program to steal ad revenue," said Unit 42. 

Dipping into another company's ad revenue is proving costly. Ad fraud was expected to reach $5.8 billion in economic losses in 2019, according to a study from the Association of National Advertisers

Criminals "can use domain parking for temporary disguise or to potentially fund some of their costs related to domain registrations," said Duan. 

Unit 42 found attackers leveraging the domain "peoplesvote[.]uk" for the presidential election in the U.S. A portion of unaware visitors were redirected to "0redira[.]com/jr.php" where an exploit kit script was waiting to "fingerprint" the users web activity. In doing so, the exploit kit script hid the landing URLs to evade security detection. 

"These pages are still active as of this writing," Unit 42 said.

Filed Under: Threats

Editors' picks

Company Announcements

View all | Post a press release
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Threats
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell