How parked domains became a cybercrime goldmine | Tech Radar
Overview
News, deals, reviews, guides and more on the newest computing gadgets
Start exploring exclusive deals, expert advice and more
Details
Unlock and manage exclusive Techradar member rewards.
Unlock instant access to exclusive member features.
Get full access to premium articles, exclusive features and a growing list of member rewards.
Parked domains are not dead web pages. They are cybercrime's hidden infrastructure
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
Every day, millions of people type a web address into their browser, usually in a flurry of rapid keystrokes, and arrive exactly where they intended.
However, a small but significant number of people don’t.
They might miss a letter, type an extra letter in their haste, or get some letters mixed up. Instead of hitting linkedin[.]com, they hit linkdein[.]com. Those mistakes gave way to one of the internet’s least glamorous destinations – the parked domain.
Dr. Renée Burton is Vice President of Threat Intel for Infoblox.
Most internet users have encountered them at some point, even if they didn't know what they were looking at. Typically, a parked domain would just be a sparse, messy page filled with adverts and a search bar with very little else.
They existed because someone, somewhere, recognized that in the early days of the internet a percentage of users would inevitably mistype a popular website – so they registered the most similar-looking domain names for themselves in a move known as “typosquatting” and earned advertising revenue from the resulting traffic.
'A foundational block of modern cybercrime': The inside story of a 15,000+ website network using popular ad trackers to peddle AI investment scams
Why your next cybersecurity upgrade isn’t an AI agent—it’s a dot Brand domain name
Someone is impersonating our business: 5 ways to fight digital squatting
If just 0.1% of the millions of people accessing amazon[.]com accidentally went to the amazn[.]com domain they’d bought, that’s still a worthwhile payday. It was a mundane corner of the digital economy, built on convenience, coincidence, and the occasional typo.
History can be a harsh teacher, but it can also sow complacency. In 2026, a lot of security teams still regard parked domains as little more than lazy digital billboards – inconvenient and annoying, but not a meaningful security concern.
However, the infrastructure surrounding parked domains has evolved considerably from the amateurish, pop-up-ridden advertising pages of the early internet. What was once a simple case of opportunistic domain monetization now sits inside a far more complex ecosystem of advertisers, brokers, and traffic distribution networks.
In many cases, a user's accidental visit no longer ends on a parked page at all. Instead, it triggers a journey through a chain of intermediaries operating largely out of sight. Somewhere along that journey, legitimate advertising can give way to fraud, scams, and malware distribution.
In other words, one of the web's most familiar and overlooked mechanisms has become one of the most lucrative and insidious vehicles for cybercrime.
Huge hacking campaign uses spoofed Ghidra, dn Spy, and Spider Foot security tools to harvest ad revenue and serve malware
How scammers use "scraped New York Times content" to trick security scanners
Experts warn hackers are hiding malware inside Google's own ad systems — here's what we know
The transformation of parked domains from digital curiosities into cybersecurity risks has been subtle, and that’s one of the reasons it’s so dangerous. For decades, the model followed the same patterns – a user would land on a parked domain, see a collection of banners, click on something accidental or otherwise, and generate a small amount of revenue for the domain owner.
It was cynical, but at least it was transparent because users could at least see where they had ended up and decide for themselves what to do next – usually just close the tab and go where they meant to. The only real danger here came from the occasional misleading or malicious ad rather than the mechanics of the domain itself.
Today things are different. Changes within the online advertising industry, including tighter policies around traditional domain monetization, have encouraged cybercriminals and fraudsters to try new approaches to keep the train of monetization moving.
Increasingly, users who arrive at a parked domain don't encounter a parked page at all. Instead, they’re immediately redirected elsewhere through a process known as “zero-click advertising”, sometimes referred to as direct search.
What appears to be a simple typo can trigger a rapid auction in which a user's visit is bought, sold, and passed between multiple advertising partners before they ever see a destination website. Most of this activity unfolds in fractions of a second and entirely beyond the user's view, and while many of those transactions remain legitimate, the sheer complexity of the ecosystem creates opportunities for abuse.
Somewhere within that chain, traffic can be acquired by actors whose interests extend far beyond advertising revenue, opening the door to scams, malware, fraudulent software, and a host of other malicious outcomes.
One of the reasons parked domain abuse is still underestimated and difficult to pin down is that the attack path rarely follows a straight line. When most people imagine a cyberattack, they picture a malicious website waiting at the end of a link, ready to ensnare an unsuspecting user.
But in this case, by the time a user reaches the content they're ultimately shown, their traffic may have already passed through a maze of advertising exchanges, brokers, redirectors, and cloaking services.
Each participant sees only a fragment of the overall journey, making it remarkably difficult for the “good guys” to determine which “bad guys” are responsible for what. It’s a little like trying to investigate a crime scene where the evidence constantly rearranges itself.
The cowardly threat actors involved in this type of cybercrime exploit this ambiguity. They use sophisticated cloaking techniques which allow them to examine visitors before deciding which content to serve up – where are they based? What kind of browser are they using? What operating system is their device running?
A security researcher in California might see a harmless landing page, while a finance broker in London might be served up a credential harvesting scam. This selective delivery makes malicious activity harder to detect and even harder to reproduce.
What’s worse, parked domain abuse is rarely aimed at a specific industry or organization. The actors deploying parked domains are usually financially motivated, and their primary interest is in acquiring traffic, so they’re not going to discriminate.
Once they’ve ensnared a victim, they become a commodity moving through an invisible marketplace where every click has value and every redirection creates another opportunity for exploitation.
So where does all of this leave defenders? Parked domain abuse doesn’t behave like a conventional cyber threat. While security teams are used to investigating suspicious websites, malicious files, or compromised accounts that leave a relatively obvious trail, parked domain campaigns are different because the underlying traffic distribution is constantly changing.
The same typo domain can send one user down an entirely different path than the next. By the time an analyst attempts to recreate what a victim experienced, the route may no longer exist and any “evidence” has effectively evaporated. How do they defend against something they can't see or recreate?
One thing is guaranteed – regardless of how many redirects, intermediaries, cloaking systems, or advertising platforms sit between the initial typo and the final destination, every step in the journey depends on the domain name system (DNS). Often described as the internet's address book, DNS is responsible for translating domain names into the destinations users ultimately reach.
Put simply, each lookup leaves behind a breadcrumb that helps reveal relationships that would otherwise remain hidden, and that visibility has allowed researchers investigating typosquatted versions of well-known domains to follow the trail beyond the initial deception. Patterns start to emerge between seemingly unrelated cases of malware, involving the same parking providers, cloaking services, and traffic distribution infrastructure.
By examining historical DNS records and mapping the relationships between domains over time, it has become possible to connect incidents that appear to be unrelated and expose the networks operating behind them. Instead of playing “whack a mole” and chasing surface level domains, DNS mapping has allowed defenders to target the entire machine.
The greatest danger posed by parked domains isn't the typo itself, but the assumption that the infrastructure behind that typo is benign. For years, parked domains occupied a strange corner of the internet, largely ignored by security teams and rarely considered worthy of serious scrutiny.
But today, they offer cybercriminals something far more valuable than advertising revenue – access to legitimate systems, trusted business models, and vast streams of user traffic that can be manipulated and monetized at scale.
As threat actors continue to refine their use of cloaking, traffic distribution, and advertising networks, the distinction between legitimate online activity and malicious activity will become increasingly difficult to spot from the outside.
Protect yourself against malware with the best antivirus software.
This article was produced as part of Tech Radar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.
The views expressed here are those of the author and are not necessarily those of Tech Radar Pro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit
You must confirm your public display name before commenting
1 Experts find attackers can exploit decades-old UEFI flaws to gain access to key systems
2 Spotify launches managed accounts for Free tier users
3 Microsoft just released its biggest Patch Tuesday ever
4 Should I buy Philips Hue Essential bulbs? Here's what you need to know
5 Microsoft deleted one man’s hacked One Drive with 25 years of media
Tech Radar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.
© Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.
Key Takeaways
- News, deals, reviews, guides and more on the newest computing gadgets
- Start exploring exclusive deals, expert advice and more
- Unlock and manage exclusive Techradar member rewards
- Unlock instant access to exclusive member features
- Get full access to premium articles, exclusive features and a growing list of member rewards



