One wrong letter can now land you on malware, not a dead page, Infoblox Report
We’ve all been there. You’re typing a familiar web address - gmail.com, netflix.com, but your fingers move a little too fast, and suddenly you’re not where you expected to be. Instead of your inbox or streaming queue, you land on a generic-looking page filled with ads, often labelled as a "parked" domain. It’s an annoyance, a minor detour online. You close the tab and try again.
Have you ever wondered what's really going on when that happens? According to a major new research report by Infoblox, this seemingly harmless mistake has evolved into a sophisticated and highly dangerous cyber threat vector. This is no longer a simple typo. It's a calculated strategy known as typosquatting, part of a larger arsenal including combosquatting, level-squatting, and homograph attacks, all designed to weaponise your mistakes. Here are the most surprising findings that show how the game has changed.
That Annoying Ad Page Is Now Over 90% Malicious
The most significant change is the dramatic escalation of risk. For years, parked domains were a low-threat environment. A 2014 study found that parked domains redirected to malicious sites less than 5% of the time, and typically only when a visitor clicked a link. Today, that risk profile has been completely inverted.
Infoblox recently conducted large-scale experiments and found that the vast majority of visits to parked domains now lead directly to dangerous content. This redirection often occurs automatically when your browser loads the page. The threat is no longer a small possibility; it’s the most likely outcome.
"In large-scale experiments, we found that over 90% of the time, visitors to a parked domain would be directed to illegal content, scams, scareware and anti-virus software subscriptions, or malware, as the ‘click’ was sold from the parking company to advertisers, who often resold that traffic to yet another party."
You're Being Profiled to See if You're a Worthy Target
Threat actors are not blindly distributing malware to every visitor. They employ a technique known as "cloaking," or conditional delivery, to conceal their activities from security researchers while targeting real users. When you visit one of these malicious parked domains, a system in the background instantly profiles you. If your visit comes from a known corporate network, a website scanner, or a Virtual Private Network (VPN), you’ll be shown a benign, harmless-looking parking page. This makes the domain appear safe to automated security systems.
However, if your visit originates from a residential IP address, such as your home network or mobile device, you are identified as a potential victim and immediately redirected to malicious content, including a ClickFix attack that delivers what security vendors detect as Babar malware.
The underlying mechanism is a Traffic Distribution System (TDS). In simple terms, a TDS is a central hub that acts like a malicious traffic cop. It analyses visitors based on their IP address, device type, location, and other characteristics before funnelling them toward a final payload. What makes a TDS so dangerous is its complexity; malicious TDS networks use significantly longer redirection chains and more interconnected URLs than benign systems, creating a labyrinth designed to hide the final payload from security tools.
A Typo Can Do More Than Misdirect - It Can Intercept Your Email
The threat now extends beyond malicious websites. Some of the most sophisticated actors are using typosquatted domains to intercept sensitive communications.
For example, researchers identified a threat actor associated with the name server torresdns[.]com who registered the domain gmai[.]com - a standard typo for Gmail.
This actor didn't just set up a website; they configured Mail Exchanger (MX) records for the domain. An MX record tells the internet where to deliver email for a specific domain. By setting up these records, the actor can receive and read any email accidentally addressed to @gmai.com.
This transforms a simple typo into a powerful tool for espionage and theft. An employee accidentally sending a sensitive internal document, a password reset link, or financial information to the wrong address could expose that data to an attacker. This is an ideal launchpad for credential harvesting and highly targeted Business Email Compromise (BEC) attacks.
Attackers Are Using Sophisticated DNS-Level Evasion Tactics
The idea that domain squatting is a low-effort, low-tech crime is dangerously outdated. Modern attackers are employing advanced techniques at the Domain Name System (DNS) layer to make their operations highly resilient.
One such technique is "double fast flux," a sophisticated and rarely observed method in which attackers rapidly and repeatedly rotate both the name servers (the directories that point to a website) and the IP addresses (the website's actual location) of their malicious domains. This makes the domains a moving target, allowing them to evade blocklists and takedown efforts from security vendors.
In an even more targeted tactic, the actor controlling the lookalike domain domaincntrol[.]com configured their system to deliver malicious redirects only to users of Cloudflare's popular 1.1.1.1 DNS resolver. This manipulation happens at the name server level, before an HTTP request is even made. All other DNS queries would fail to load. This demonstrates a high level of operational security, as it enables the attacker to target a broad demographic of privacy-conscious or tech-savvy users while remaining undetected by others.
Google's Attempt to Clean Up Ads Fueled the Fire
A well-intentioned policy change by a major tech company had the unintended consequence of concentrating traffic in less-regulated channels, directly fueling the growth of this malicious ecosystem. In March 2025, Google altered its AdSense policy, changing the default so that advertisers had to explicitly "opt-in" to have their ads appear on parked domains.
This change caused revenue to plummet - by as much as 60% for some portfolios -which directly incentivised legitimate domain owners to pivot away from established ad networks. To maintain profitability, they turned to opaque and less-regulated "direct search" or "zero-click" monetisation systems. This shift inadvertently funnelled a massive volume of typo-generated traffic away from legitimate advertisers and directly into the hands of malicious affiliate networks and cybercriminals, who were ready to pay for it.
Conclusion: Rethinking the Simple Typo
The ecosystem behind parked and typosquatted domains has been fundamentally weaponised. What was once a minor navigational error has been transformed by a sophisticated and ruthless supply chain into a significant security risk for individuals and organisations alike. The line between a simple typo and a serious compromise has never been thinner.
For individuals, using bookmarks and password managers that store the correct URL is a critical security habit. For businesses, the defence must be more proactive: defensively register common typos of your domain, and for all non-operational domains, implement Null MX records and strict DMARC policies to prevent email interception and spoofing.