Parked Domains: Why These 'Empty' Websites Are So Dangerous Now

Most people think of parked domains as empty lots on the internet.

No real website, just a generic page with some ads.

That picture is badly out of date.

Recent research from Infoblox, covered by Krebs on Security, found that in large experiments more than ninety percent of visits to parked domains sent people to scams, fake security software, or outright malware when the traffic came from normal home connections. About a decade ago, parked domains redirected to malicious content less than five percent of the time. Today the risk is flipped in the wrong direction. (krebsonsecurity.com)

For an average person, that math is brutal.

One typo in your bank name.

One old link in a text from a friend.

One click on a parked domain can be enough to lose control of an account or infect a device.

This guide explains how parked domains work, why they have become such a big problem, and how RedPhish helps block them before they cause damage.

Header image credit: Infoblox domain parking research.

---

Table of contents

• What is a parked domain
• How parked domains turned toxic
• Why parked domains are so painful for normal people
• How attackers abuse parked and abandoned domains
• Common ways you land on a parked domain without noticing
• What happens behind the scenes when you visit a parked domain
• How to protect yourself from parked domain traps
• How RedPhish helps detect and block parked domains

---

What is a parked domain

A parked domain is a domain name that is registered but does not host a normal website.

Instead of a real site, you usually see a simple page with search terms, ad links, or a message that the domain is for sale.

Parked domains are common for:

• Expired domains that still receive traffic
• Defensive registrations that companies never fully set up
• Typos or lookalike versions of real brands

For years these pages were annoying but mostly boring.

Now they are a popular staging ground for scams, redirects, and malware.

---

How parked domains turned toxic

Security firm Infoblox spent months measuring what happens when real users visit parked domains.

Their research, summarized by Krebs on Security, found that in large experiments more than ninety percent of visits from residential internet connections were sent to illegal content, scams, fake antivirus subscriptions, or malware landing pages. About ten years earlier, similar research had found that parked domains redirected users to malicious sites less than five percent of the time. (krebsonsecurity.com)

In other words, if you land on a parked page from your home wifi right now, the odds are high that a redirect chain will try to push you toward something harmful.

At the same time, the total pool of domains has exploded.

A Dark Reading analysis of DNSFilter data reported that new domains were the single biggest DNS threat category by query volume recently, and that almost forty percent of malicious DNS requests came from new domains. Attackers like new domains because they often slip past traditional blocklists. (darkreading.com)

Put those trends together and you get a simple story.

There are more domains than ever.

A growing share are risky.

And parked domains in particular have shifted from background noise to active attack surface.

---

Why parked domains are so painful for normal people

Most research focuses on how criminals abuse parked domains at a technical level.

The human side is simpler.

Parked domains punish tiny, everyday mistakes.

Scenario 1: The bank typo that drains a paycheck

You are half awake and trying to check your bank balance on your phone.

You type your bank name slightly wrong, swapping two letters in the address.

The typo domain is parked and wired into an aggressive redirect chain.

Infoblox found that for people visiting from home connections, more than nine times out of ten the click did not stay on the innocent looking parking page. Instead the visit was sold to a chain of advertising and scam partners, and within a couple of redirects many test users landed on pages that:

• Pretended to be a bank login
• Announced a locked account and asked them to "secure" it
• Pushed fake security scans that tried to install real malware (krebsonsecurity.com)

You did not search for anything shady.

You just mistyped one character.

Scenario 2: The old online store that now bites back

Maybe you bought a gift from a small online store a couple of years ago.

You saved the site in your browser history or an old email.

The store closed.

No one renewed the hosting.

Now the domain sits at a parking company.

The next time you click that old link, you see what looks like a normal page for a moment.

Then your browser jumps to a "limited time giveaway" that asks you to enter your address and payment card for shipping.

Because you remember the brand name, it feels familiar enough that you do not notice the switch in time.

Scenario 3: Kids, games, and "free" add ons

A child searches for free game coins or cheats.

They click a result that uses the name of their favorite title with an extra word on the end.

The domain is parked and connected to a redirect chain that sends young visitors to fake download pages and subscription traps.

Kids are less likely to spot the trick.

Parents only see the result on the card statement.

In each case, the pain is very real.

Money gone.

Devices infected.

Accounts locked behind fraud checks and password resets.

What ties these stories together is that the first step is completely normal behavior that many people repeat every day.

---

How attackers abuse parked and abandoned domains

Parked domains are not the only DNS related risk, but they are part of a bigger pattern.

Krebs on Security has described "sitting duck" domains, where misconfigured DNS and weak verification let attackers claim old domains at certain DNS providers without touching the original registrar account. Researchers estimated around one million such vulnerable domains, with at least tens of thousands hijacked for malicious use in recent years. (krebsonsecurity.com)

BleepingComputer reported on a large spam and malvertising campaign known as SubdoMailing, where threat actors hijacked thousands of legitimate domains and subdomains from major brands and used them to send millions of malicious emails per day that redirected victims to scams. (bleepingcomputer.com)

A separate BleepingComputer report showed that even mainstream malware families like Emotet have used parked domains to deliver payloads during big phishing campaigns. Out of millions of newly parked domains observed in that study, about one percent ended up in malware or phishing campaigns. (bleepingcomputer.com)

These numbers highlight a key point.

Attackers love domains that look legitimate.

Expired brand domains.

Abandoned subdomains.

Typos that are one letter away from a real bank or store.

Parked domains often sit right in that overlap.

They receive real users by accident.

They inherit the trust of whatever brand or keyword they resemble.

Once an attacker can buy or influence the traffic from a parking company, those visitors become an easy revenue stream.

---

Common ways you land on a parked domain without noticing

You do not wake up planning to visit a parked domain.

You end up there through normal behavior.

Some of the most common paths include:

• Typing a URL by memory
  Small spelling errors or swapped letters send you to a parked typo domain instead of the real site.
• Clicking old bookmarks and emails
  Sites that used to be legitimate can expire, change owners, or shift to parking.
• Following links in texts and social posts
  A friend pastes a URL they remembered, not the exact address. That small mistake ends at a parked domain.
• Copying links from unofficial tutorials or forums
  Out of date guides often include domains that no longer host the original content.
• Scanning QR codes
  A code points to a domain that now resolves to a parking provider instead of the intended store or restaurant.

None of these actions feel risky in the moment.

That is exactly why parked domains are so powerful for attackers.

---

What happens behind the scenes when you visit a parked domain

From the user point of view, you see a quick flash of one page, then another.

Behind the scenes, a lot more is happening.

Infoblox researchers, as reported by Krebs on Security, found that:

• Parking companies often sell your visit to an ad buyer in real time
• That buyer may resell the click again to another party
• Each handoff can profile your device, IP address, and browser
• The final result is either a malicious page or a harmless decoy

In many tests, the malicious redirect only fired for visitors on residential IP addresses.

People using virtual private networks or corporate connections often saw a tame parking page instead. (krebsonsecurity.com)

That split behavior helps attackers in two ways.

It keeps automated scanners and corporate security tools from easily seeing the malicious side.

It focuses scams and malware on the high value victims that matter most to criminals.

Normal home users.

Mobile devices.

Small business owners working from a home connection.

To make detection even harder, many parked domains use long chains of redirects or short lived domains.

If one link in the chain is blocked, they swap it out and keep going.

Dark Reading coverage of DNSFilter data noted that one out of every 174 DNS requests was malicious during a recent measurement period, and that phishing and malware queries had both grown. That is the wider backdrop behind what happens when a parked domain sells your click into the open DNS threat ecosystem. (darkreading.com)

---

How to protect yourself from parked domain traps

You cannot control what parking companies or attackers do.

You can change the odds that you will ever see their traps.

1. Rely less on typing addresses from memory

Bookmarks are your friend.

If you visit a bank, email provider, or favorite store often, save the real site as a bookmark.

Use that saved link instead of typing the name every time.

Password managers help here too.

They only autofill on the correct domain, which makes it easier to spot lookalikes.

2. Treat new and odd domains with extra suspicion

Dark Reading reports that new domains now account for a large share of malicious DNS traffic, and that attackers like them because they often slip past blocklists at first. (darkreading.com)

If a link points to a domain you do not recognize, pause.

Ask yourself whether it makes sense for that brand or service.

3. Watch for the telltale signs of parking

Common clues include:

• A page covered in generic keyword links
• Prominent "buy this domain" or "this domain may be for sale" messages
• Ads that do not match what you expected from the name

If you see one of these, close the tab.

Do not click anything, including the search box.

4. Go back to a known good path

If you wanted to reach your bank, type the bank name into a search engine or use your bookmark.

If you wanted a store, search for the brand and check that the domain and top result match what you remember.

For services like government portals, email, or medical providers, use saved links from earlier confirmations or official documents.

5. Use protection that focuses on domains and redirects

Modern browser security is less about scanning files and more about understanding web traffic.

Tools that score domains, analyze redirects, and recognize risky patterns can stop many parked domain attacks before the page loads fully.

---

How RedPhish helps detect and block parked domains

RedPhish runs in the browser where parked domain attacks actually happen.

It focuses on how real users browse, not just on static lists.

Here are a few very short examples of how it helps.

• Typosquatted bank domains
  You mistype your bank address and land on a parked typo domain that secretly chains through multiple redirects. RedPhish scores the domain, sees the suspicious redirects and content patterns, and blocks the page before you reach the fake login.

• Expired store links in old emails
  You click an old order confirmation that now points to a parked domain selling your click to scam advertisers. RedPhish detects the risky parking and redirect behavior and stops the load with a clear warning.

• Kids clicking on "free coins" sites
  A child taps a search result that leads to a parked domain promising free game currency. RedPhish sees that the domain is newly created, parked, and using aggressive redirects to shady download pages, and quietly blocks it so the child never sees the trap.

For normal users, the goal is simple.

You keep browsing.

RedPhish takes the hit from the parked domains so you do not have to.