CyberWire Daily - The parking lot of digital danger. [Research Saturday]
Episode Date: February 28, 2026This week we are joined by Dr. Renée Burton, Vice President of Infoblox Threat Intel, discussing "Parked Domains and Direct Search: An Underreported Security Risk." Parked domains are no longer harml...ess ad pages — new research finds that in today’s “direct search” or zero-click parking ecosystem, more than 90% of visits to certain parked lookalike domains lead to scams, malware, or deceptive content, often hidden behind layers of traffic distribution systems and device fingerprinting. The report details three previously unpublished domain portfolio actors who weaponize typosquatting, DNS manipulation — including rare “double fast flux” techniques highlighted in a 2025 advisory from Cybersecurity and Infrastructure Security Agency — and even misconfigured name server records to evade detection and funnel real users toward malicious advertisers. Beyond malvertising, some parked lookalike domains collect misdirected email, fuel business email compromise, and exploit outdated links — including those surfaced by generative AI — underscoring how a simple typo can expose users and enterprises to significant risk. The research can be found here: Parked Domains Become Weapons with Direct Search Advertising Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
This came to our attention because we were basically,
visiting a website to check it out for research purposes, which we expected to be parked.
In other words, we expected it to just show that splash scene that we've all seen for decades
that says, this domain may be available for sale. And instead, it was like a whip, whip, whip.
And suddenly you had a thing that said, there's a virus on your machine.
That's Dr. Renee Burton, Vice President of Info Blocks Threaten Tell. The research we're discussing today is titled
called parked domains and direct search and underreported security risk.
So we realized, wait a second, that's not parked.
And then tried to understand, like, how large is this problem?
So can we just start with some basic stuff here?
I mean, when we talk about a parked domain,
what do most people expect that to mean?
And what did your team find instead?
So a park domain traditionally is for domain monetization. There's a whole industry in this and certainly
not one of those domain monetization experts, but essentially they buy large numbers of
domains that are typos. There are natural things that you would, you know, in the classic
sense of park domains, they would buy, you know, one finger off type of whatever you were going
to type Netflix.com instead, maybe that, you know, L would be a K or something.
And then that would go to a parking service, which would show ads or show the ability to
click into ads.
There's a couple of different ways that it would work.
Essentially, it doesn't do much, right, other than showing you that the domain may be available
for sale, or it might show you a few ads, or it might allow you to click in and search
for content.
So your research talks about two different things here.
Direct search and zero-click parking.
Can you suss out those for us?
We found those are essentially names that different people are using for the same concept.
If we think of the classic parking and domain parking monetization,
you would accidentally type the domain wrong, right?
You type Netflix wrong, and instead you get the splash.
screen that says, you know, do you want to look for streaming videos? And it's essentially a
boring page. It says it's parked. It might say it's parked at this particular location like Go Daddy
or parking crew or something. And then you would have to interact with that. What they did was
they added a feature. And it's actually, as far as I can tell, well over a decade ago, it just
hasn't really gained recognition within the security community,
that instead of selling an ad by having to have you click twice,
that is you mistyped the Netflix,
and now you have to click in to see the ad for streaming services,
I'm just going to help you.
I'm just going to directly drive you to an advertisement
that is what you must be looking for.
So in theory, that's what it's supposed to be.
taking you directly to an ad, so there's zero clicks or direct search.
And so what was the aha moment for you to realize that this was something being weaponized?
About a year ago, certainly in February maybe of this past year, 2025,
we realized that we could take domains that were parked, in essence,
when we looked at them through a normal security,
you know, a scanner service,
they would show up as parked.
And yet they had a different IP address.
And so we could take that IP address,
any domain on that IP address,
and we would search it instead from a home address,
from a residential proxy or from our home addresses themselves,
and we could get malicious content every single time.
And in some of the cases,
We could get the same malicious content every single time.
So we did that with Serbel as a partner early on and then started realizing,
wait a second, this is really big.
It's a lot more problematic than any of us had ever noticed or seen before, largely,
because when you try to scan it from any kind of normal scanning infrastructure,
it will just show the boring parking pages.
The research has a story about IC3.org, which I think really kind of walks us through what you all were dealing with here.
Can you share that example with us?
Yeah, that was really horrible.
My uncle-in-law, I was visiting, and my uncle-in-law realized that his Bitcoin had been stolen.
He had a very, very large amount of money stolen from Bitcoin, from his.
Bitcoin wallet. And so we said, what you need to do is report that to the FBI. And someone
sent me the link, another researcher, and they made a typo. So they typed it as IC3.org instead of
ic3.gov, which is the real website. And I was in a panic because it's, you know, my uncle's just
lost hundreds of thousands of dollars. Right. So I clicked on it from my
phone and it immediately came up with you know you have a virus on your you have a virus on your
phone and then we realize wait a second this is yet another one of these lookalikes um that a malicious
actor holds onto but there's more to it than that because you you scanned it as a defender and
you had a different experience exactly yes so we have that particular domain belonged to one of the one of the
quote, parking actors that we've tracked
that are separate from the parking platforms, right?
There were actual domain holders, or they call themselves domainers.
And what we found was
if you scan that from a variety of different locations,
like as a defender from a normal thing,
you're going to get something that just says the domain is parked.
But if you scan it from other locations,
including residential proxies,
you might get a scam,
you might get malware information,
Steelers, remote actors, Trojans.
It will vary, but it will always be bad.
It's always going to be bad.
Well, help us understand, I mean, how does this work behind the scenes?
How does this traffic get sold from a park domain to advertisers or folks who are up to no good?
Yeah, there seems to be two different types of situations.
So one is where people have actually parked their,
domains directly with the parking companies.
So there's two different situations.
One is where domainers and domain holders and domain investors, as they might call themselves,
are parking with a parking service and they've opted in to this direct search.
That case is somewhat common and there are both small holders and large holders who do that.
The other case is where the domain or the domain or the domain
main investor themselves is a bad actor. And those are three of the ones that we published about. So
in those three cases, they actually make a decision about the user. So when you visit the website,
they do some fingerprinting on the operating system, the browser, and the location. And then they
determine whether they're going to send you forward to a boring parking page or they're going to
sell your traffic to one of these other direct searches, as well as other advertisers.
And then from the parking platform's perspective, essentially the same kind of things go on.
These parking platforms, the big ones, they have very sophisticated anti-fraud mechanisms.
And essentially, those anti-fraud mechanisms are really good cloaking mechanisms and fingerprinting
mechanisms. In other words, they're able to tell that you are a defender very quickly and very
precisely because they've spent a lot of money on it. That essentially allows them to, again,
redirect any kind of security scanning traffic into a boring page, and then otherwise they sell it
to yet again another third-party advertiser. And it's in those resells that we saw the malicious
content happening.
We'll be right back.
At MedCan, we know that life's greatest moments are built on a foundation of good health,
from the big milestones to the quiet winds.
That's why our annual health assessment offers a physician-led, full-body checkup
that provides a clear picture of your health today and may uncover early signs of
conditions like heart disease and cancer.
The healthier you means more moments to cherish.
Take control of your well-being and book an assessment today.
Medcan.
for life. Visit medcan.com
slash moments to get started.
Where are my gloves?
Come on, heat.
Winter is hard, but your groceries don't have to be.
This winter, stay warm.
Tap the banner to order your groceries online at voila.ca.
Enjoy in-store prices without leaving your home.
You'll find the same regular prices online as in-store.
Many promotions are available both in-store and online, though some may vary.
Now, you all ran some pretty large-scale experiments here, and you saw a lot of illegal content.
I mean, sometimes it was over 90%.
How did you go about this testing, and how do you tally up what's counted as malicious versus just maybe a nuisance or unwanted?
Yeah.
So what we did, we've actually scanned thousands and thousands.
We have a pretty complex architecture that we've developed,
a lot of our researches in traffic distribution systems,
in cloaking and that kind of thing.
So we have a large infrastructure that essentially pretends
it's in different locations, it's different kinds of devices,
and then it scans through when we record every little piece of information along the way.
And then because of the size of the scans,
we're then able to go and look at the landing pages
and take those domains and know,
and look at what do we know about those already?
Again, because our expertise is in domain names,
typically we'll be able to say,
okay, this group of things is a known malware
or a known scam actor, that kind of thing.
And then we're able, for the ones that needed manual review,
which actually wasn't that many,
because of the way the processes work,
we would go through and look at that as well.
There's not a lot,
that qualifies as, you know, unwanted or irrelevant.
I think 10% is sort of being generous about what we actually saw.
I think more often those end up to be cloaking,
but they weren't things we could prove, right?
So we left it as sort of this 10% goes to this kind of benign content.
What about the ad industry themselves?
I mean, where's the line between legit parking platforms
and these folks who are taking advantage of users?
I think it's really complicated.
We did talk to multiple large parking platforms.
You're really large, well-established companies
have been around for a couple of decades
and showed them signs of abuse
and talked about how they do their customer vetting.
So they have KYC, know your customer type mechanisms in place.
And those are fairly robust at these large companies.
The problem is that they sell that traffic to somebody whose identity they have verified,
and then that person sells it to yet another one.
And we end up largely in the affiliate advertising space where
those kind of customer
know your customer checks are not being made
and there's just really unethical
small advertising companies
that are buying the traffic because they want to
they're willing to pay for it.
So it's all about money, right?
Some of the larger vendors,
specifically we had a lot of really good conversations
with Team Internet, which is a really large
German company with a number of companies
underneath it, parking crew and Zero Park.
And they explain that, you know, it's pretty hard, but it is possible that actors can do these kind of domain laundering type activities where they are able to manipulate the parked domain and then how it's going to get bought on the other side because they're all subscribing to certain keywords and other features that are going to be sold.
essentially like here's the fingerprint of the user I'm looking for and here's some of the
keywords that I'm that I'm buying traffic for and they used that as an explanation of why
Serbel and we were able to repeatedly get the same content over and over again in our earlier
research we didn't see that that often but that was something that on occasion we were able to do
help me understand why detecting this is so hard
the main reason that detecting it is so hard is because
the decoys work really well so they are able to fingerprint
the user and if they see something that in any way looks like
a security service or a VPN or any kind of
you know, any kind of non-victim, right?
So if it's like, it doesn't match the victim criteria,
then they'll just punt it into a decoy.
The decoy will typically be a parking page,
but it could just be like an Amazon page
or Netflix page or some other Google search boring page.
So especially when you combine that,
the actors themselves may have some of this cloaking,
you know, cloaking is the word that we would use, right?
Fingerprinting that's going on.
when you combine that with the large parking companies
and they're using commercial high-grade anti-fraud mechanisms
to prevent things like residential proxians and VPNs from getting through,
it just provides a really great cloak that you can't repeat.
And then you also can't repeat the same thing over and over again.
Every time you scan it, you're very likely to get different content.
And that makes it really tricky for security teams.
So then based on what you all have gathered here,
what are your recommendations for security teams?
What should they do to defend against this sort of thing?
The reality is that I think parking is extraordinarily dangerous.
So for high-risk enterprises, I would look to make sure you block parking.
A lot of them already do that, but a lot do.
not because they think of it as something that's fairly benign. The other thing is whenever a user
says, hey, you know, I was doing something and I had this warning pop on my screen, whether it
being antivirus or shopping or some kind of unwanted content, and then I couldn't repeat that.
That's a sign that you've got maybe parking, but you certainly got a traffic distribution
systems or cloaking in place that the security team will want to look at.
You know, I don't, at the risk of sounding, you know, flipping here,
it sounds to me like there's a market for some product that makes your internet presence
look like you're a security researcher.
Yes, exactly.
Right.
Probably perfect, actually.
Yeah, so nobody will, you know, serve you up any malware to send you on your way.
Are you exactly?
Our thanks to Dr. Renee Burton from InfoBlock's Threatentel for joining us.
The research is titled Parked Domains and Direct Search,
an underreported security risk.
We'll have a link in the show notes.
And that's Research Saturday, brought to you by N2K Cyberwire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Iben.
Peter Kilpie is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.
If you only attend one cybersecurity conference this year, make it R-SAC-2020.
It's happening March 23rd through the 26th in San Francisco,
bringing together the global security community for four days of expert insights,
hands-on learning, and real innovation.
I'll say this plainly, I never miss this conference.
The ideas and conversations stay with me all year.
Join thousands of practitioners and leaders tackling today's toughest challenges
and shaping what comes next.
Register today at rsacconference.com slash cyberwire 26.
I'll see you in San Francisco.