Executive Summary
In late 2025, security researchers uncovered that over 90% of parked domains—unused, expired, or misspelled web addresses—were actively redirecting visitors to malicious destinations, including scams, malware, and deceptive subscription offers. Utilizing techniques like device fingerprinting, IP geolocation, and chained redirects, threat actors profited by manipulating the domain parking ecosystem, turning innocuous navigation mistakes into vectors for malware delivery and fraud. The campaign targeted high-profile brands and government offices, often bypassing detection by profiling user access (e.g., residential IPs or VPN use), with some domains weaponized for business email compromise.
This incident highlights an alarming shift: parked and typo domains are now a primary malvertising risk, not a minor threat. As domain registration and ad platform policies evolve, attackers rapidly adapt, exploiting weaknesses in digital trust and endpoint security. Organizations must broaden threat detection and policy enforcement to address direct navigation attacks and affiliate-driven malvertising.
Why This Matters Now
The expanded abuse of parked domains as malvertising hubs means even legitimate-looking URLs or minor typing mistakes can put users and organizations at risk of fraud, malware, or data theft. With dynamic affiliate networks, evasive redirection logic, and the scale of typosquatting, conventional threat detection is insufficient. Addressing this threat requires urgent modernization of DNS hygiene, segmentation, and user awareness.
Attack Path Analysis
The attack began with users directly navigating to typosquatting or parked domains that redirected them to malicious destinations. Upon visiting, attackers leveraged malicious redirects and system profiling to attempt privilege escalation, for example by targeting browser vulnerabilities or email compromise through domain misconfiguration. Lateral movement occurred when infected endpoints could be leveraged within organizations, potentially using internal flows or credential theft. Command and Control channels were established via malicious landing pages communicating back to attacker infrastructure. Exfiltration was facilitated as malware harvested credentials or sensitive data and sent it externally. Ultimately, the impact ranged from end-user scams and information theft to potential business email compromise or malware deployment.
Kill Chain Progression
Initial Compromise
Description
Users visited typosquatting or parked domains which immediately redirected them to malicious sites hosting scams, malware, or phishing pages.
Related CVEs
CVE-2025-XXXX
CVSS 8.5A vulnerability in domain parking services allows attackers to redirect users to malicious content, leading to potential malware infections and scams.
Affected Products:
Various Domain Parking Services – All versions
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing: Spearphishing Link
Valid Accounts: Email Accounts
Search Victim-Owned Websites: Domain Registration Hijacking
User Execution: Malicious Link
Exploit Public-Facing Application
Phishing for Information: Spearphishing via Service
Input Capture: Keylogging
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Address Malicious Software
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 6
CISA Zero Trust Maturity Model 2.0 – Malicious Domain and Typosquatting Defense
Control ID: Identity Pillar – Threat Detection
NIS2 Directive – Technical and Organizational Measures: Security of Network and Information Systems
Control ID: Article 21.2(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Financial institutions face severe risks from typosquatting domains targeting customer logins, enabling credential theft and business email compromise attacks through malicious redirects.
Internet
Domain parking companies and DNS service providers directly implicated in malvertising ecosystem, requiring enhanced egress security and traffic inspection capabilities for protection.
Government Administration
Government domains increasingly targeted by typosquatters, with IC3.org case demonstrating public sector vulnerability to credential harvesting and citizen data compromise risks.
Computer Software/Engineering
Software companies require zero trust segmentation and threat detection capabilities to prevent lateral movement from compromised users visiting malicious parked domains.
Sources
- Most Parked Domains Now Serving Malicious Contenthttps://krebsonsecurity.com/2025/12/most-parked-domains-now-serving-malicious-content/Verified
- Horrid Hawk: New Domain Hijacking Threat Actorhttps://www.infoblox.com/threat-intel/threat-actors/horrid-hawk/Verified
- Infoblox Unveils 2025 DNS Threat Landscape Report, Revealing Surge in AI-driven Threats and Malicious Adtechhttps://www.infoblox.com/news/news-events/press-releases/infoblox-unveils-2025-dns-threat-landscape-report-revealing-surge-in-ai-driven-threats-and-malicious-adtech/Verified
- DNS Predators Hijack Domains to Supply their Attack Infrastructurehttps://www.infoblox.com/blog/threat-intelligence/dns-predators-hijack-domains-to-supply-their-attack-infrastructure/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, egress security, inline threat detection, and enhanced east-west controls would have prevented, detected, or limited exploitation from malicious parked/typosquatting domains and malware propagation. CNSF-aligned controls reduce attack surface and block dangerous outbound connections, impeding attacker progress across the kill chain.
Control: Cloud Firewall (ACF)
Mitigation: Malicious domains and URLs would be blocked at the perimeter.
Control: Threat Detection & Anomaly Response
Mitigation: Credential misuse and unauthorized behaviors would raise alerts.
Control: Zero Trust Segmentation
Mitigation: Segmentation would restrict movement between workloads and sensitive zones.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound C2 traffic would be blocked or flagged.
Control: Inline IPS (Suricata)
Mitigation: Data exfiltration attempts would be detected and prevented.
Real-time visibility enables fast containment and remediation of affected instances.
Impact at a Glance
Affected Business Functions
- Web Traffic Management
- Brand Reputation
- Customer Trust
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of user data through malicious redirects and phishing attacks.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy outbound URL filtering and DNS-layer security to prevent access to high-risk parked and typosquatting domains.
- • Enforce Zero Trust segmentation and microsegmentation to contain any malware or credential harvesting incidents within the network or cloud.
- • Implement active egress policy controls to block unauthorized communications and data exfiltration to attacker infrastructure.
- • Utilize inline IPS/IDS and threat detection to surface malicious behaviors and stop attack progression before exfiltration or impact.
- • Maintain centralized observability and policy governance for rapid detection, incident response, and containment across multicloud resources.
