Infoblox Threat Intel Reveals How Forgotten Internet Real Estate is Being Weaponized Through Direct-Search Abuse and DNS Tactics
New research from Infoblox Threat Intel has uncovered a startling shift in the cybersecurity landscape: parked domains, long considered harmless digital clutter, have been transformed into a primary vehicle for cyberattacks.
In a massive reversal of a decade-old risk profile, large-scale experiments now show that over 90% of visits to parked domains result in users being redirected to malicious content, including scams, scareware, and malware.
The danger lies in the abuse of “direct search/zero-click” advertising systems. In the past, a parked domain typically displayed a static page of ads. Today, these systems are being manipulated to instantly redirect visitors to third-party sites chosen by advertisers, often without a single click or warning from the user.
“A decade ago, parked domains were mostly harmless,” says Dr. Renée Burton, Vice President of Infoblox Threat Intel. “Today, they’ve become almost exclusively malicious. What was once internet background noise is now a largely unrecognized persistent and pervasive threat.”
The report identifies three major domain portfolio holders, known as domainers, who utilize sophisticated techniques to evade detection and exploit users. Their arsenal includes:
- Visitor Profiling: Tailoring redirections based on the user’s location and device.
- Lookalike Domains: Using domains that mimic famous brands to trick users.
- Typo-based Collection: Harvesting emails and traffic from users who make simple spelling errors in their browser.
- Fast Flux DNS: Using rare and complex DNS tricks to rapidly change IP addresses, making it nearly impossible for security systems to block the source.
The research highlights a troubling paradox: the fraud protection mechanisms used by large parking platforms are inadvertently helping criminals hide from security researchers. Furthermore, recent policy changes by Google appear to have inadvertently increased the risk level for everyday users.
Because the ecosystem involves multiple layers of advertisers, platforms, and domain holders, reporting abuse has become essentially impossible, leaving users vulnerable to a wide net of “advertising” content that is actually malicious software in disguise.
Source: Infoblox
