{
	"id": "f340b820-c1a1-4e0d-939a-f448de49173b",
	"created_at": "2026-04-06T00:12:18.826831Z",
	"updated_at": "2026-04-10T13:12:01.307009Z",
	"deleted_at": null,
	"sha1_hash": "4771b94c4140de52570b7a3cb0c204f5e5a0afe9",
	"title": "Domain Parking: A Gateway to Attackers Spreading Emotet and Impersonating McAfee",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2055858,
	"plain_text": "Domain Parking: A Gateway to Attackers Spreading Emotet and\r\nImpersonating McAfee\r\nBy Ruian Duan, Zhanhao Chen, Seokkyung Chung, Janos Szurdi, Jingwei Fan\r\nPublished: 2020-10-29 · Archived: 2026-04-05 22:20:06 UTC\r\nExecutive Summary\r\nDomain parking services offer a simple solution for domain owners to monetize their sites’ traffic through third-party advertisements. While domain parking might appear harmless at first glance, parked domains pose\r\nsignificant threats, as they can redirect visitors to malicious or unwanted landing pages or turn entirely malicious\r\nat any point in time.\r\nWe have been detecting parked domains for more than nine years. From March to September 2020, we identified\r\n5 million newly parked domains. In the same time frame, we observed that 6 million parked domains have\r\ntransitioned to other categories. Out of the transitioned parked domains, 1.0% changed to malicious categories\r\n(such as phishing or malware); 2.6% changed to not safe for work categories (such as adult or gambling); and\r\n30.6% changed to suspicious categories (such as questionable or high Risk). Compared to a benign domain (such\r\nas computer and internet info or shopping), a parked domain has an eight times higher probability of changing its\r\ncategory to one of the above non-benign categories.\r\nIn this blog, we further investigate the domain parking ecosystem and outline different types of abuse, including:\r\nDomain registration abuse: We observed the malicious life cycle of the domain\r\nvalleymedicalandsurgicalclinic[.]com, which is no longer active, as part of a global Emotet campaign.\r\nEmotet is one of the most popular malware families distributed via phishing emails. During this campaign,\r\nPalo Alto Networks observed attacks against organizations in various industries (such as education,\r\ngovernment, energy, manufacturing, construction and telecommunications) all over the world, including\r\nthe United States, the United Kingdom, France, Japan, Korea and Italy. The attack targeting French\r\norganizations also exploited the COVID-19 global pandemic: It used Covid19 as the phishing email’s\r\nsubject line. None of these attacks were successful.\r\nAdvertisement abuse (case 1): We observed attackers abusing the domain peoplesvote[.]uk related to the\r\ncurrent U.S. presidential election. While visiting peoplesvote[.]uk, users are presented with an ad listing\r\npage most of the time. However, occasionally, users are first redirected to 0redira[.]com/jr.php, which hosts\r\nan exploit kit script, and subsequently users are redirected to a survey website asking about users’ voting\r\npreference of Joe Biden or Donald Trump. The exploit kit script hosted on 0redira[.]com/jr.php fingerprints\r\nthe browser silently to track users’ web activity and hides the landing URLs to prevent security companies\r\nand researchers from analyzing and blocking them. Of note, these pages are still active as of this writing.\r\nAdvertisement abuse (case 2): Furthermore, we observed a domain, xifinity[.]com, mimicking\r\nxfinity[.]com. When a user attempts to visit the Xfinity website but accidentally types an additional \"i,\"\r\nthey will go to xifinity[.]com and will be redirected to an abusive landing page, antivirus-protection[.]com-https://unit42.paloaltonetworks.com/domain-parking/\r\nPage 1 of 10\n\n123[.]xyz. Both domains are active as of this writing. The landing page tries to fool users into believing\r\nthat their machine is infected and that their McAfee subscription has expired. Clicking on the “Proceed”\r\nbutton will redirect users to a legitimate McAfee download page offering an antivirus subscription. We\r\nbelieve that attackers are abusing McAfee’s affiliate program to steal ad revenue.\r\nSecurity best practice for enterprises is to keep close track of parked domains, while consumers should make sure\r\nthat they type domain names correctly and double-check that the domain owners are trusted before entering any\r\nsite.\r\nPalo Alto Networks Next-Generation Firewall customers can block the parked category with the URL Filtering\r\nand DNS Security subscriptions.\r\nDomain Parking: Why and How\r\nIndividuals and enterprises need to pay registrars (ICANN accredited domain resellers) an annual fee to buy\r\ndomain names and become domain owners. If domain owners don't have content or service ready to point their\r\ndomains to, they can leverage parking services to monetize user traffic. Setting up a parking service is simple and\r\nonly requires domain owners to point their name server (NS) records to the parking service. In return, parking\r\nservices will either present visitors with a list of advertisements or automatically redirect users to advertisers'\r\nwebpages. In the first case, domain owners and parking services get paid when a user clicks on an ad, while in the\r\nsecond case, they get paid per user visit. Some domain owners buy large amounts of domain names as an\r\ninvestment to resell them later for a profit or to monetize user traffic. As shown by previous research studies and\r\nthis blog, parked domains can pose significant threats to end-users. Because of this, along with their questionable\r\nutility, it may be best to block parked domains.\r\nPalo Alto Networks has deployed a comprehensive pipeline to track newly parked domains and to publish the\r\ndetection results to URL Filtering. Recently, we have launched the parked category in DNS Security as well. In\r\nparticular, our pipeline:\r\n1. Monitors known parked service providers and their infrastructure.\r\n2. Tracks domain registrations and passive DNS queries and performs reverse DNS lookups.\r\n3. Crawls website content.\r\n4. Employs machine learning to combine multiple features to classify whether a domain is parked.\r\nHigh-Level Statistics\r\nTo analyze the current parked domain landscape, we collected the parked domains that were detected from March\r\nto September 2020, as well as the ones whose category changed from parked to other categories in the same time\r\nspan. On average, we found that 27,000 newly parked domains were identified and 35,000 existing parked\r\ndomains were re-classified daily. In summary, our pipeline has identified 5 million newly parked domains and re-classified 6 million parked domains to other categories in the past six months.\r\nFigure 1 summarizes how we observed parked domains changing during this time period. For simplicity, we group\r\nthe URL Filtering categories into four classes: malicious, not safe for work, suspicious and benign. The malicious\r\nclass consists of malware, command and control (C2), phishing and grayware. Adult, gambling and nudity are\r\nhttps://unit42.paloaltonetworks.com/domain-parking/\r\nPage 2 of 10\n\nrepresented in the not safe for work class. For suspicious, we include questionable, insufficient content and high\r\nrisk domains. Sites are deemed questionable based on suspicious web content, while the insufficient content\r\ncategory is normally applied to a blank website and high risk means the domain displays behavior similar to\r\nmalicious domains. The benign class encompasses all other categories, such as business and economy, computer\r\nand internet info and shopping. Figure 1 shows that for parked domains, the malicious change rate is 1.0%, the not\r\nsafe for work change rate is 2.6% and the suspicious change rate is 30.6%. As a comparison, the non-benign\r\nchange rate of the parked category is eight times higher than the non-benign change rate of benign categories.\r\nFigure 1. A list of categories that parked domains we observed changed to in the last six months.\r\nFigure 2 presents the distribution of the number of days that domains that we ultimately categorize as malicious\r\nand benign are parked before changing their category. We aggregate the number of category changes from parked\r\nfor every 10 parked days and normalize by the total number of domains per class. Figure 2 shows that over 25.9%\r\nof parked domains that changed to malicious categories are parked for less than 10 days, which is significantly\r\ndifferent from benign, where the majority of them are parked for around 60-69 days. We conjecture that many\r\ncybercriminals do not age their domains (a practice used to evade domain lifetime-based detection features) and\r\nuse them to conduct attacks as soon as possible.\r\nFigure 2. The number of days a domain is parked before a category change occurs, based on\r\nobservations made during the last six months.\r\nhttps://unit42.paloaltonetworks.com/domain-parking/\r\nPage 3 of 10\n\nThe Ecosystem and Attack Vectors\r\nIn this section, we further investigate the benefits of detecting and blocking parked domains. We begin by\r\ndissecting the domain parking ecosystem into different stakeholder groups. We then show that the largest attack\r\nvector is domain registration, since attackers can register parked domains and turn them malicious at any time.\r\nSecond, we show that attackers can abuse the lack of advertisement control by some smaller advertisement\r\nnetworks used by parking services, thereby redirecting visitors to malicious or unwanted landing pages. Last, we\r\nshow that even a parking service itself can pose privacy threats to users.\r\nStakeholders\r\nWe show the major stakeholder groups in the domain parking ecosystem and their relationships in Figure 3,\r\nnamely domain owners, parking service providers, advertisement networks and advertisers. Note that the term\r\nstakeholders as used here represents roles and can refer to the same entity or multiple entities. Domain owners\r\nown parked domains and have the incentive to monetize through parking service providers. Parking service\r\nproviders incorporate and organize feeds from advertisement networks to monetize user traffic. Advertisement\r\nnetworks characterize user traffic from parked domains and present ads to users from interested advertisers.\r\nFigure 3. Stakeholders in the domain parking ecosystem and their relationships.\r\nAs mentioned previously, domain owners need to point their NS records to the parking service’s name server to\r\n“park” their domains. We measured the popularity of service providers by checking the DNS NS records of parked\r\ndomains detected from March to September 2020. Figure 4 presents the top 15 most popular NS domains. The\r\nmajority of parked domains are resolved by the NS of large registrars, including GoDaddy (domaincontrol[.]com)\r\nand NameBright (namebrightdns[.]com). Besides the large registrars and hosting providers, we identified several\r\ndedicated parking service providers. The most popular dedicated provider is Sedo (sedoparking[.]com), which is\r\nused by 19.5% of parked domains.\r\nhttps://unit42.paloaltonetworks.com/domain-parking/\r\nPage 4 of 10\n\nFigure 4. A list of parking service providers including registrars, hosting providers and dedicated\r\nparking providers.\r\nDomain Registration Abuse\r\nParked domains could present threats to users when they turn malicious. Figure 1 shows that 1.0% of parked\r\ndomains eventually changed to malicious categories such as C2 and malware. Some attackers appear to host\r\nparked pages on their domains before deploying malicious content, potentially to amortize their costs.\r\nFor example, we observed the malicious life cycle of the domain valleymedicalandsurgicalclinic[.]com. This\r\ndomain was registered on July 8, 2020. Our newly registered domain detector found this domain, and our parking\r\ndetector pipeline classified it as parked based on the website content. Two months later, our malware analysis\r\nengine, WildFire, captured multiple malware instances, such as SHA256:\r\na9fe73484674696be756808e93f839be7157cd65995d8de9e67e40bf77c9b229 and\r\n54ac560845b09ce00a48b604ac7c440331cbde4362839a3dbf14c378230bee21 hosted on the URL\r\nvalleymedicalandsurgicalclinic[.]com/ujftb/statement/wr7hoba7i9hz since Sept. 14, 2020. Furthermore, we\r\ndiscovered that it's part of a global Emotet campaign (refer to our recent Emotet blog for more information).\r\nEmotet is one of the most popular malware families distributed via phishing emails. The documents attached to\r\nthe phishing emails contain macro scripts that call back to the C2 servers from victims’ machines. Emotet further\r\ndownloads Trojan payloads that steal victims' credential information or even compromises their machines. We can\r\nsee many suspicious behaviors from these files, including incorrect file extensions and communication with\r\nmultiple C2 servers, such as 50.91.114[.]38 and 51.38.124[.]206. We sketch the phases of the Emotet campaign in\r\nFigure 5.\r\nThe observed campaign was launched using multiple domains around the world. During this campaign, Palo Alto\r\nNetworks observed attacks against organizations in various industries (such as education, government, energy,\r\nmanufacturing, construction and telecommunications) all over the world, including the United States, the United\r\nKingdom, France, Japan, Korea and Italy. The attack targeting French organizations also exploited the COVID-19\r\nglobal pandemic: It used Covid19 as the phishing email’s subject line (refer to our COVID-19 scams blog for\r\nsimilar cases). None of the attacks were successful.\r\nhttps://unit42.paloaltonetworks.com/domain-parking/\r\nPage 5 of 10\n\nFigure 5. Illustration of the phases of the Emotet campaign.\r\nAdvertisement Abuse\r\nThe domain parking ecosystem depends on advertisers to profit from user traffic. As discussed earlier, parking\r\nservices either show users a list of ads (and get paid based on the number of user clicks on these ads) or redirect\r\nusers automatically to the advertisers’ webpages (and get paid based on the number of user visits). Often the\r\nparking services and the advertisement networks do not have the means or willingness to filter abusive advertisers\r\n(i.e. attackers). Therefore, users are exposed to various threats, such as malware distribution, potentially unwanted\r\nprogram (PUP) distribution and phishing scams. In our experience, we most frequently observe the distribution of\r\ngrayware.\r\nWe observed attackers abusing the domain peoplesvote[.]uk related to the current U.S. presidential election, which\r\nwas allowed by the lack of control by above[.]com, the seventh-most popular domain parking service, as shown in\r\nFigure 4. While visiting peoplesvote[.]uk, users are presented with an ad listing page most of the time, as shown in\r\nFigure 6. However, occasionally, users are first redirected to 0redira[.]com/jr.php, which hosts an exploit kit script,\r\nand subsequently redirected to a survey website asking about users’ voting preference, as shown in Figure 7. The\r\nexploit kit script hosted on 0redira[.]com/jr.php fingerprints the browser silently to track users’ web activity and\r\nhides the landing URLs. Of note, these pages are still active as of this writing.\r\nhttps://unit42.paloaltonetworks.com/domain-parking/\r\nPage 6 of 10\n\nFigure 6. The ad listing page often seen while visiting peoplesvote[.]uk.\r\nFigure 7. The voting preference landing page that is sometimes seen after visiting peoplesvote[.]uk\r\nand being redirected to a survey website.\r\nFurthermore, we observed attackers abusing the largest dedicated parking service provider, Sedo. We found a\r\nparked domain,\r\nxifinity[.]com\r\n, that is a typosquatting domain mimicking\r\nxfinity[.]com\r\n(refer to\r\nour cybersquatting blog\r\nor\r\nthis academic paper\r\nhttps://unit42.paloaltonetworks.com/domain-parking/\r\nPage 7 of 10\n\nfor more information). When a user attempts to visit the Xfinity website but accidentally types an additional \"i,\"\r\nthey will go to\r\nxifinity[.]com\r\nand will be redirected to an advertiser page. We identified that the traffic to this domain is sold to multiple\r\nadvertisers. One of the advertisers,\r\nsoftonic[.]com\r\n, presents users with a software download page.\r\nBesides legitimate advertisers, we also captured multiple redirections to PUPs from attackers. Figure 8 shows one\r\nof the abusive landing pages, the level-squatting domain antivirus-protection[.]com-123[.]xyz. The landing page\r\ntries to trick users into believing that their machine is infected and that their McAfee subscription has expired.\r\nClicking on the “Proceed” button will redirect users to a legitimate McAfee download page offering an antivirus\r\nsubscription. We believe that attackers are abusing McAfee’s affiliate program to steal ad revenue.\r\nAs a squatting domain, xifinity[.]com receives a high visit volume compared to other parked domains. We\r\nobserved over 1,000 DNS requests for xifinity[.]com in our passive DNS dataset from June to September 2020,\r\nand the domain is still active as of this writing – as is antivirus-protection[.]com-123[.]xyz. From a domain\r\nowner’s perspective, using a parking service is a convenient way to monetize user traffic. However, as abusive\r\nadvertisers (i.e. attackers) are not filtered, users are exposed to various threats.\r\nFigure 8. The landing page impersonating McAfee while visiting xifinity[.]com.\r\nParking Service Abuse\r\nWe observed several parked pages using ztomy[.]com, the 14th-most popular parking service provider (shown in\r\nFigure 4), harvesting visitors' personal information. We observed that these pages generate fingerprints of users'\r\nbrowsers and send them back to the parked domain. The parked pages are using the browser fingerprinting script\r\nfrom pxlgnpgecom-a.akamaihd[.]net/javascripts/browserfp.min.js, which collects various private information and\r\ntracks user behavior. These browser fingerprints could be leveraged to track visitors’ online activities, allowing\r\nhttps://unit42.paloaltonetworks.com/domain-parking/\r\nPage 8 of 10\n\nadvertisement networks to target visitors with ads tailored to them. Additionally, domain owners complained\r\nonline that their domains' NS records were configured to ztomy NS servers without their awareness, which could\r\nbe considered a form of domain hijacking.\r\nFigure 9. An example of a parked domain, bridgeplatform[.]biz, using ztomy[.]com as the parking\r\nservice provider.\r\nConclusion\r\nIn summary, parked domains can expose users to threats as they can redirect visitors to malicious or unwanted\r\nlanding pages or turn entirely malicious in the future. Due to their questionable utility and the fact that our system\r\ncan quickly re-classify parked domains when they merit new categories, we suggest that Palo Alto Networks\r\nNext-Generation Firewall customers block the parked category with URL Filtering or DNS Security. While this\r\nmay be deemed a bit overly cautious by some due to potential false positives, we suggest alerts be set up for\r\nadditional visibility at the bare minimum.\r\nPalo Alto Networks Next-Generation Firewall customers are protected against malicious indicators (domain, IP,\r\nURL, SHA256) mentioned in this blog via URL Filtering, DNS Security and Threat Prevention subscription\r\nservices.\r\nAcknowledgements\r\nWe would like to thank Wei Wang and Ryan Nangong for their help with providing some of the data sources\r\nnecessary for our analysis. We would also like to extend our gratitude to Jimmy Chen and Jun Javier Wang for\r\ntheir advice and help with improving the blog.\r\nIOCs\r\nEmotet campaign:\r\nhttps://unit42.paloaltonetworks.com/domain-parking/\r\nPage 9 of 10\n\nvalleymedicalandsurgicalclinic[.]com\r\nvalleymedicalandsurgicalclinic[.]com/ujftb/statement/wr7hoba7i9hz\r\na9fe73484674696be756808e93f839be7157cd65995d8de9e67e40bf77c9b229\r\n54ac560845b09ce00a48b604ac7c440331cbde4362839a3dbf14c378230bee21\r\n50.91.114[.]38\r\n51.38.124[.]206\r\nFingerprinting:\r\n0redira[.]com/jr.php\r\nbridgeplatform[.]biz\r\npeoplesvote[.]uk\r\nCybersquatting:\r\nxifinity[.]com\r\nantivirus-protection[.]com-123[.]xyz\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/domain-parking/\r\nhttps://unit42.paloaltonetworks.com/domain-parking/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/domain-parking/"
	],
	"report_names": [
		"domain-parking"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434338,
	"ts_updated_at": 1775826721,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4771b94c4140de52570b7a3cb0c204f5e5a0afe9.pdf",
		"text": "https://archive.orkl.eu/4771b94c4140de52570b7a3cb0c204f5e5a0afe9.txt",
		"img": "https://archive.orkl.eu/4771b94c4140de52570b7a3cb0c204f5e5a0afe9.jpg"
	}
}