Loading summary
Dr. Renee Burton
You're listening to the Cyberwire Network, powered by N2K.
Indeed Sponsor Voice
This episode is brought to you by Indeed. Stop waiting around for the perfect candidate. Instead, use Indeed sponsored Jobs to find the right people with the right skills fast. It's a simple way to make sure your listing is the first candidate. C. According to Indeed data, sponsored jobs have four times more applicants than non sponsored jobs. So go build your dream team today with Indeed. Get a $75 sponsor job credit@ Indeed.com podcast. Terms and conditions apply.
Dave Bittner
Hello everyone, and welcome to the Cyberwires Research Saturday. I'm Dave Buettner and this is our weekly conversation with researchers and analysts, tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining.
Dr. Renee Burton
This came to our attention because we were basically visiting a website to check it out for research purposes, which we expected to be parked. In other words, we expected it to just show that splash scene that we've all seen for decades that says this domain may be available for sale. And instead it was like a whip, whip, whip, and suddenly you had a thing that said there's a virus on your machine.
Dave Bittner
Ah, that's Dr. Renee Burton, Vice president of Infoblox Threat Intel. The research we're discussing today is titled Parked Domains and Direct Search an Underreported Security Risk.
Dr. Renee Burton
So we realized, wait a second, that's not parked, and then tried to understand, like, how large is this problem?
Dave Bittner
So can we just start with some basic stuff here? I mean, when we talk about a parked domain, what do most people expect that to mean and what did your team find instead?
Dr. Renee Burton
So a park domain traditionally is for domain monetization. There's a whole industry in this, and I'm certainly not one of those domain monetization experts, but essentially they buy large numbers of domains that are typos. They're natural things that you would, in the classic sense of park domains, they would buy one finger off, type of whatever you were going to type netflix.com instead, maybe that L would be a K or something. And then that would go to a parking service which would show ads or show the ability to click into ads. There's a couple of different ways that it would work. Essentially, it doesn't do much, right, other than showing you that the domain may be available for sale, or it might show you a few ads, or it might allow you to click in and search for content.
Dave Bittner
So your research talks about two different things here, direct search and zero click parking. Can you suss out those for Us,
Dr. Renee Burton
we found those are essentially names that different people are using for the same concept. If we think of the classic parking and domain parking monetization, you would accidentally type the domain wrong, right? You type Netflix wrong. And instead you get this splash screen that says do you want to look for streaming videos? And it's essentially a boring page. It says it's parked. It might say it's parked at this particular location, like GoDaddy or parking crew or something. And then you would have to interact with them. What they did was they added a feature. This is actually, as far as I can tell, well over a decade ago. It just hasn't really gained recognition within the security community that instead of selling an ad by having to have you click twice, that is, you mistyped the Netflix and now you have to click in to see the ad for streaming services. I'm just going to help you. I'm just going to directly drive you to an advertisement. That is what you must be looking for. So in theory, that's what it's supposed to be, taking you directly to an ad. So there's zero clicks or direct search.
Dave Bittner
And so what was the aha moment for you to realize that this was something being weaponized?
Dr. Renee Burton
About a year ago, certainly February, maybe of this past year, 2025, we realized that we could take domains that were parked. In essence, when we looked at them through a normal security scanner service, they would show up as parked and yet they had a different IP address. We could take that IP address, any domain on that IP address, and we would search it instead from a home address, from a residential proxy, or from our home addresses themselves. And we could get malicious content every single time. And in some of the cases, we could get the same malicious content every single time. So we did that with Cerbal as a partner early on and then started realizing, wait a second, this is really big. It's a lot more problematic than any of us had ever noticed or seen before, largely because when you try to scan it from any kind of normal scanning infrastructure, it will just show the boring parking pages.
Dave Bittner
The research has a story about ic3.org, which I think really kind of walks us through what you all were we're dealing with here. Can you, can you share that example with us?
Dr. Renee Burton
Yeah, that was really horrible. My uncle in law, I was visiting and my uncle in law realized that his bitcoin had been stolen. He had a very, very large amount of money stolen from Bitcoin from his bitcoin wallet. And so we said, what? What, what? You need to do is report that to the FBI. And someone sent me the link, another researcher, and they made a typo, so they typed it as ic3.org instead of ic3.gov, which is the real website. And I was in a panic because my uncle's just lost hundreds of thousands of dollars. So I clicked on it from my phone and it immediately came up with, you have a virus on your. You have a virus on your phone. And then we realize, wait a second, this is yet another one of these lookalikes that a malicious actor holds onto.
Dave Bittner
But there's more to it than that because you scanned it as a defender and you had a different experience.
Dr. Renee Burton
Exactly. Yeah. So we have that particular domain belonged to one of the quote, parking actors that we've tracked that are separate from the parking platforms. Right. They're actual domain holders, or they call themselves domainers. And what we found was if you scan that from a variety of different locations, like from the. As a defender, from a normal thing, you're going to get something that just says the domain is parked. But if you scan it from other locations, including residential proxies, you might get a scam, you might get malware, information stealers, remote access trojans. It will vary, but it'll always be bad. It's always going to be bad.
Dave Bittner
Well, help us understand, how does this work behind the scenes. How does this traffic get sold from a park domain to advertisers or folks who are up to no good?
Dr. Renee Burton
Yeah, there seems to be two different types of situations. So one is where people have actually parked their domains directly with the parking companies. So there's two different situations. One is where domainers and domain holders and domain investors, as they might call themselves, are parking with a parking service and they've opted in to this direct search. That case is somewhat common and there are both small holders and large holders who do that. The other case is where the domain or the domain investor themselves is a bad actor. And those are three of the ones that we published about. So in those three cases, they actually make a decision about the user. So when you visit the website, they do some fingerprinting on the operating system, the browser and the location, and then they determine whether they're going to send you forward to a boring parking page or, or they're going to sell your traffic to one of these other direct searches as well as other advertisers. And then from the parking platform's perspective, essentially the same kind of things go on. These parking platforms, the big ones, they have very sophisticated Anti fraud mechanisms. And essentially those anti fraud mechanisms are really good cloaking mechanisms and fingerprinting mechanisms. In other words, they're able to tell that you are a defender very quickly and very, very precisely because they've spent a lot of money on it. That essentially allows them to again redirect any kind of security scanning traffic into a boring page. And then otherwise they sell it to yet again another third party advertiser. And it's in those resells that we saw the malicious content happening.
Dave Bittner
We'll be right back.
Taylor Swift Promo Voice
On December 12th, Disney invites you to go behind the scenes with Taylor Swift in an exclusive six episode docu series.
Dr. Renee Burton
I wanted to give something to the
Indeed Sponsor Voice
fans that they didn't expect.
Dr. Renee Burton
Expect.
Indeed Sponsor Voice
The only thing left is to close the book.
Taylor Swift Promo Voice
The end of an era and don't miss Taylor Swift. The Eras Tour. The final show featuring for the first time the tortured poets department. Streaming December 12th only on Disney.
Dave Bittner
Now, you all ran some pretty large scale experiments here and you saw a lot of illegal content. I mean it was sometimes it was over 90%. How did you go about this testing and how do you tally up what's counted as malicious versus just maybe a nuisance or unwanted?
Dr. Renee Burton
Yeah, so what we did, we've actually scanned thousands and thousands. We have a pretty complex architecture that we've developed because a lot of our research is in traffic distribution systems, in cloaking and that kind of thing. So we have a large infrastructure that essentially pretends it's in different locations, it's different kinds of devices. And then it scans through and we record every little piece of information along the way. And then because of the size of the scans, we're then able to go and look at the landing pages and take those domains and look at what do we know about those already? Again, because we're, our expertise is in domain names, typically we'll be able to say, okay, this group of things is a known malware or a known scam actor, that kind of thing. And then we're able for the ones that needed manual review, which actually wasn't that many because of the way the processes work. We would go through and look at that as well. There's not a lot that qualifies as, you know, unwanted or irrelevant. I think 10% is sort of being generous about what we actually saw. I think more often those end up to be cloaking. But they weren't things we could prove right. So we left it as sort of this 10% goes to this kind of benign content.
Dave Bittner
What about the ad industry themselves? I Mean, where's the line between legit parking platforms and these folks who are taking advantage of users?
Dr. Renee Burton
I think it's really complicated. We did talk to multiple large parking platforms. Really large, well established companies have been around for a couple of decades and showed them signs of abuse and talked about how they do their customer vetting. So they have KYC know your customer type mechanisms in place and those are fairly robust at these large companies. The problem is that they sell that traffic to somebody whose identity they have verified and then that person sells it to yet another one. And we end up in largely in the affiliate advertising space where those kind of customer know your customer checks are not being made. And there's just really unethical small, you know, advertising companies that are buying the traffic because they want to, they're willing to pay for it. So it's all about money, right? Some of the larger vendors specifically we had a lot of really good conversations with Team Internet, which is a really large German company with a number of companies underneath it, Parking Crew and ZeroPark and they explained that it's pretty hard, but it is possible that actors can do these kind of domain laundering type activities where they are able to manipulate the parked domain and then how it's going to get bought on the other side because they're all subscribing to certain keywords and other features that are going to be sold essentially like here's the fingerprint of the user I'm looking for and here's some of the keywords that I'm buying traffic for. And they used that as an explanation of why cerbal and we were able to repeatedly get the same content over and over again. In our earlier research we didn't see that that often, but that was something that on occasion we were able to do.
Dave Bittner
Help me understand why detecting this is so hard.
Dr. Renee Burton
The main reason that detecting it is so hard is because the decoys work really well. So they are able to fingerprint the user if they see something that in any way looks like a security service or a VPN or any kind of, you know, any kind of non victim. Right. So if it's like it doesn't match the victim criteria, then they'll just punt it into a decoy. The decoy will typically be a parking page, but it could just be like an Amazon page or Netflix page or some other Google search boring page. So especially when you combine that the actors themselves may have some of this cloak. You know, cloaking is the word that we would use, right? Fingerprinting, that's going on. When you combine that with the large parking companies and they're using commercial high grade anti fraud mechanisms to prevent things like residential proxy and VPNs from getting through, it just provides a really great cloak that you can't repeat. And then you also can't repeat the same thing over and over again. Every time you scan it, you're very likely to get different content and that makes it really tricky for security teams.
Dave Bittner
So then, based on what you all have gathered here, what are your recommendations for security teams? What should they do to defend against this sort of thing?
Dr. Renee Burton
The reality is that I think parking is extraordinarily dangerous. So for high risk enterprises, I would look to make sure you block parking. A lot of them already do that, but a lot do not because they think of it as something that's fairly benign. The other thing is, whenever a user says, hey, I was doing something and I had this warning pop on my screen, whether it be an antivirus or shopping or some kind of unwanted content, and then I couldn't repeat that. That's a sign that you've got maybe parking, but you've certainly got a traffic distribution systems or cloaking in place that the security team will want to look at.
Dave Bittner
You know, the risk of sounding flippant here, it sounds to me like there's a market for some product that makes your Internet presence look like you're a security researcher.
Dr. Renee Burton
Yes, exactly.
Dave Bittner
Right.
Dr. Renee Burton
That would be perfect, actually. Yeah.
Dave Bittner
So nobody will, you know, serve you up any malware, send you on your way.
Dr. Renee Burton
Right, exactly.
Dave Bittner
Our thanks to Dr. Renee Burton from Infoblox Threat intel for joining us. The research is titled Parked Domains and Direct an Underreported Security Risk. We'll have a link in the show notes. And that's Research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26. I'll see you in San Francisco.
CyberWire Daily – Research Saturday
Episode: The parking lot of digital danger
Release Date: February 28, 2026
Host: Dave Bittner (N2K Networks)
Guest: Dr. Renee Burton (VP, Infoblox Threat Intel)
Topic: "Parked Domains and Direct Search: An Underreported Security Risk"
This episode delves into the hidden dangers of "parked domains" and the "direct search" or "zero click parking" advertising ecosystem. Dr. Renee Burton explains how attackers exploit otherwise innocuous-looking parked domains to deliver scams, malware, and unauthorized content—using sophisticated cloaking and fingerprinting to avoid detection by security researchers and automated tools. The discussion uncovers both the technical and systemic challenges this problem presents for defenders and the advertising industry itself.
[01:08–03:12]
[03:12–04:41]
"What they did was they added a feature... instead of selling an ad by having to have you click twice... I'm just going to directly drive you to an advertisement." (Dr. Renee Burton, 03:37)
[04:41–06:02]
"We could get malicious content every single time... largely because when you try to scan it from any kind of normal scanning infrastructure, it will just show the boring parking pages." (Dr. Renee Burton, 04:49; 05:37)
[06:02–07:16]
"I was in a panic because my uncle's just lost hundreds of thousands of dollars... it immediately came up with, you have a virus on your phone." (Dr. Renee Burton, 06:35)
[07:24–10:31]
"Those anti-fraud mechanisms are really good cloaking mechanisms and fingerprinting mechanisms… able to tell that you are a defender very quickly." (Dr. Renee Burton, 09:18)
[11:08–13:01]
[13:01–15:24]
"They sell that traffic to somebody whose identity they have verified and then that person sells it to yet another one." (Dr. Renee Burton, 13:52)
[15:24–16:57]
"The main reason that detecting it is so hard is because the decoys work really well. So they are able to fingerprint the user... they'll just punt it into a decoy." (Dr. Renee Burton, 15:30)
[16:57–17:54]
"Parking is extraordinarily dangerous. So for high risk enterprises, I would look to make sure you block parking." (Dr. Renee Burton, 17:05)
[17:54–18:17]
On the bait-and-switch experience:
“It was like a whip, whip, whip, and suddenly you had a thing that said there's a virus on your machine.” (Dr. Renee Burton, 01:13)
On the real-world impact of typosquatting:
“My uncle's just lost hundreds of thousands of dollars... it immediately came up with, you have a virus on your phone.” (Dr. Renee Burton, 06:35)
On major ad networks inadvertently funneling attackers:
“They're all subscribing to certain keywords and other features... here's the fingerprint of the user I'm looking for and here's some of the keywords that I'm buying traffic for.” (Dr. Renee Burton, 14:36)
On the limitations of current security scanning:
"Cloaking is the word that we would use, right? Fingerprinting, that's going on..." (Dr. Renee Burton, 15:37)
On the reality for defenders:
"Whenever a user says... I had this warning pop on my screen, and then I couldn't repeat that. That's a sign that you've got maybe parking, but you've certainly got a traffic distribution systems or cloaking in place..." (Dr. Renee Burton, 17:27)
The episode is technical yet accessible, balancing in-depth analysis with real-world anecdotes and occasional humor. Dr. Burton’s explanations are clear and relatable, using analogies and personal stories to underscore the urgency of the threat.
Parked domains, long thought to be innocuous, now pose significant threats as vehicles for malware and scams, enabled by advanced cloaking that thwarts detection. Both the ad tech supply chain and security industry have yet to grapple with the full extent of the abuse. Dr. Renee Burton urges security teams to treat these domains as threats and offers practical advice for enterprise defense, exposing a largely hidden and growing danger in today’s digital landscape.