- Palo Alto Networks' Unit 42 uncovered 5 million "newly parked domains," or registered domain names waiting for use or service, between March and September 2020. Another 6 million parked domains shifted categories, 31% became "suspicious," Unit 42 found.
- One percent, or 60,000, parked domains gained a "malicious" label, which includes phishing or malware. Parked domains are eight times more likely to shift from a benign category to a dangerous one.
- Nearly one-third of those "malicious" parked domains did so less than 10 days after becoming parked. By comparison, benign domains remain parked for 60-69 days. "We conjecture that many cybercriminals do not age their domains," which helps avoid detection, according to the report.
Malicious parked domains can serve as an entrypoint for malware. While phishing and ransomware are tied to malicious domain parking, they are not entirely dependent on each other.
Phishing spiked at the onslaught of the pandemic, and for criminals, "why try anything else if that works?" said Ruian Duan, staff security researcher at Palo Alto Networks' Unit 42. "We expect to keep seeing the same issues heading into 2021."
On its surface, parked domains appear like dormant threats. Companies park their domain names for a number of reasons and benefits, such as gaining traffic-generated revenue or increasing the value of a domain by holding onto it.
When done legitimately, parking services "will either present visitors with a list of advertisements or automatically redirect users to advertisers' webpages," according to Unit 42. The owner of the domain gets paid when users engage with ads. With enough traffic, the owner can sell the domain for its increased value.
Domain parking is just as useful for bad actors.
Criminals who are domain parking leverage common spelling errors, such as adding an additional "i" when searching for "Xfinity," according to the report. The redirect to a malicious "xifinity[.]com" website, presented users with a fake message from McAfee, saying their security subscription expired. "We believe that attackers are abusing McAfee's affiliate program to steal ad revenue," said Unit 42.
Dipping into another company's ad revenue is proving costly. Ad fraud was expected to reach $5.8 billion in economic losses in 2019, according to a study from the Association of National Advertisers.
Criminals "can use domain parking for temporary disguise or to potentially fund some of their costs related to domain registrations," said Duan.
Unit 42 found attackers leveraging the domain "peoplesvote[.]uk" for the presidential election in the U.S. A portion of unaware visitors were redirected to "0redira[.]com/jr.php" where an exploit kit script was waiting to "fingerprint" the users web activity. In doing so, the exploit kit script hid the landing URLs to evade security detection.
"These pages are still active as of this writing," Unit 42 said.