Parked Domains are domain names that are currently not active. They may be domains that are waiting to be used, purchased to stop cybersquatting or simply forgotten about. Some parked domains are used to distribute adverts. It allows the domain holder to earn an income while not using the domain. Regardless of the reason why they were parked, Palo Alto Networks says there is a risk someone is abusing them.
The details of the risk to parked domains comes in a blog from Unit42, part of Palo Alto’s research team. It claims that it has identified over 5 million new parked domains in just six months (March-September 2020). In that same period, it saw changes to 6 million domains. Some of these became the web sites their owners wanted. However, others became malicious (1%), adult or gambling (2.6%), high risk or suspicious (30.6%).
According to the Verisign Domain Name Industry Brief: “The second quarter of 2020 closed with 370.1 million domain name registrations across all top-level domains (TLDs), an increase of 3.3 million domain name registrations.”
How are domains being abused?
Unit42 gives several examples of how legitimate sounding domains have been co-opted into distributing malware. One of these is valleymedicalandsurgicalclinic[.]com. Unit42 claims it spotted the domain registration on July 8, 2020. Within two months it recorded it hosting multiple malware instances. It has also linked it to part of a global Emotet campaign.
What is not clear here is whether this was a failure of a parked domain company who help monetise domains or domain takeover. What is known is that recent Emotet attacks have taken advantage of unsecured parked domains.
The second type of abuse is around advertisements. Malvertising is a longstanding issue on the Internet, and parked domains provide a perfect platform for scammers. There is nothing wrong with a domain owner parking a domain and making some money while they prepare their website and business. The problem comes with how that monetisation occurs.
Despite offering services to help monetise through ads, it appears that parking services do not filter advertisers. According to Unit42: “Users are exposed to various threats, such as malware distribution, potentially unwanted program (PUP) distribution and phishing scams. In our experience, we most frequently observe the distribution of grayware.”
They cite the example of how peoplesvote[.]uk was abused during the current US presidential election. The abuse redirected some users to a site hosting an exploit kit script. All the bad URLs used on this site are still active.
Enterprise Times: What does this mean?
Unit42 is not saying “do not park your domain”. What they are doing is warning that the controls by some domain parking companies are poor. It means that domain owners need to monitor their parked domains to see what is happening. There is also a case for checking the terms and conditions with the parking company. What are they taking responsibility for? What is their remediation policy should something happen with a domain?
From a domain owners perspective, there is a risk of long term damage. Having purchased the perfect domain name, who will visit a company whose site is associated with malware? Not many people and certainly nobody from a business that filters bad sites. It means that owners have to realise that making some quick money off a parked domain is not necessarily the way to protect an asset.