Parked and lookalike domains are increasingly weaponized via âdirect searchâ parking and complex traffic distribution systems (TDS) to funnel real users to scams, scareware, spyware, and malware while presenting benign pages to scanners. The report details three distinct domain portfolio actors and examples of delivered threats, including infections by Tedy and typosquats targeting Scotiabank users. #Tedy #Scotiabank
Keypoints
- Parked domains using âdirect searchâ (zero-click) commonly route real visitors through multiple TDS/advertising networks, and in large-scale tests over 90% of visits led to scams, unwanted content, or malware rather than benign parking pages.
- Three previously unpublished domain portfolio actors were identified: a torresdns holder (scotaibank[.]com portfolio), a âdouble fast fluxâ operator (ic3[.]org portfolio), and a typosquat name-server operator (domaincntrol[.]com) that abuses DNS misconfigurations and Cloudflare resolver users.
- Domainers (portfolio holders) actively profile visitors (IP geolocation, UA, device fingerprinting) and selectively route ârealâ residential users into risky advertising chains while showing decoy parking pages to scanners and VPN traffic.
- The ecosystem enables downstream malvertisers to be anonymous to major parking platforms because traffic is frequently resold through multiple affiliate networks, undermining KYC and anti-fraud measures.
- Specific malicious campaigns observed include drive-by downloads (ClickFix delivering Babar), trojan distribution via archived payloads hosted on mega[.]nz (Tedy), and phishing/Business Email Compromise leveraging gmai[.]com MXs.
- The domaincntrol[.]com actor exploited a single-character typosquat of GoDaddyâs name servers to capture traffic (including misconfigured name server records) and selectively targeted Cloudflare 1.1.1.1 users, increasing reach and stealth.
MITRE Techniques
- [T1583 ] Acquire Infrastructure â Use of purchased and registered lookalike/typosquat domains and large domain portfolios to host parking/TDS infrastructure (âa portfolio of nearly three thousand lookalike domainsâŚgmai[.]comâ, âaround 80,000 domains in their portfolioâ).
- [T1568 ] Dynamic Resolution (Fast Flux) â Rapidly rotating name servers and A records (âdouble fast fluxâ) to evade detection and cause resolver-dependent responses (âic3[.]orgâŚhas resolved to over 400 IP addresses since 2018â and rotating name server responses).
- [T1566 ] Phishing â Use of typosquat domains and MX-configured lookalikes to receive and weaponize email for phishing and BEC campaigns (âgmai[.]comâŚused deliberately in phishing and malware campaignsâ and âone campaignâŚusing a lure indicating a failed payment with trojan malware attachedâ).
- [T1204 ] User Execution â Social engineering and deceptive pages that trick users into running scripts or downloading archives (ClickFix and archive lure workflows) (âThe page attempts to trick users into running a malicious script that downloads and executes a fileâ and âYour archive is readyâ leading to a trojan).
- [T1105 ] Ingress Tool Transfer â Hosting and transfer of malicious payloads via file hosting and direct download links (e.g., mega[.]nz and direct VBS payload) (âClicking the button showed a link to mega[.]nz, a popular file sharing website where the malware was hostedâ and âhxxp://85[.]209[.]129[.]9:5509/xa.vbsâ).
- [T1059 ] Command and Scripting Interpreter â Use of JavaScript-based profilers and malicious scripts in pre-landing and ClickFix pages to fingerprint devices and initiate downloads/execution (âa scriptâŚcollects browser and hardware informationâŚsends a base64-encoded fingerprintâ and âattempts to trick users into running a malicious scriptâ).
Indicators of Compromise
- [Domain ] parked/typosquat and landing pages â scotaibank[.]com (typosquat used to route victims), chatterjamtagbirdfile[.]monster (malicious payload landing page), and other domains like sportswear[.]homes and domaincntrol[.]com.
- [SHA256 ] malware file â 4a3497d66a64c22342d855d2da370c9a4351e6403bbd224093c4b348bd611df4 (Babar/Tedy-associated payload); see project repository for additional hashes.
- [IP Address ] redirect and hosting infrastructure â 64.225.91[.]73 (DigitalOcean host used by domaincntrol TDS), 85.209.129[.]9:5509 (host serving xa.vbs payload), and other rotating IPs used by fast-flux name servers.