Skip to main content

Domain parking used to spread Emotet and impersonate McAfee

Person looking at website on laptop
(Image credit: Pexels)

By using a domain parking service, domain owners can easily monetize their sites' traffic through third-party advertisements but parked domains can also pose a significant threat to users as they can redirect them to malicious or unwanted landing pages.

As individuals and businesses are required to pay domain registrars an annual fee, many leverage parking services to monetize user traffic when they don't have content or a service ready to point their domains to. Setting up a domain parking service is simple as a domain owner only needs to point their name server records to the parking service.

Domain parking services then either present site visitors with a list of advertisements or automatically redirect users to advertisers' web pages. In the first case, both domain owners and parking services get paid when a users clicks on an ad while in the second case, they get paid per user visit.

Palo Alto Networks has been detecting parked domains for more than nine years and between March and September of this year, the cybersecurity firm identified 5m newly parked domains. However, during this same period, it has observed that 6m parked domains have transitioned to other categories.

In a new report, Palo Alto Networks has shed light on one case of domain registration abuse used to spread the Emotet malware and two cases of advertisement abuse, one of which used fingerprinters to track users online while the other impersonated the antivirus maker McAfee.

Domain registration and advertisement abuse

Palo Alto Networks has observed the domain valleymedicalandsurgicalclinic[.]com being used as part of a global Emotet campaign. Emotet is one of the most popular malware families that is mainly distributed via email. However, in this case, the campaign used multiple domains around the world to launch attacks against organizations in a variety of industries including education, government, energy, manufacturing, construction and telecommunications.

Cybercriminals have also used parked domains to commit advertisement abuse as was the case with the domains peoplesvote[.]uk and xifinity[.]com. When users visited peoplesvote[.]uk, they were presented with an ad listing page most of the time. However, some users were occasionally redirected to the site 0redira[.]com/jr.php which hosts an exploit kit script. This exploit kit was used to fingerprint users' browsers to silently track their web activity and hide landing URLs.

When it came to xifinity[.]com, attackers used a typosquatting domain imitating Comcast's internet service Xfinity to abuse McAfee's affiliate program in order to steal ad revenue. Users that misspelled Xfinity's website in their address bar were redirected to abusive landing pages. One of these pages, tried to trick users into believing that their machine was infected and that their McAfee subscription had expired. If a user clicked on the site's “Proceed” button, they were redirected to a legitimate McAfee download page offering an antivirus subscription.

While parked domains can be profitable for domain owners, they can expose users to threats as they have the ability to redirect visitors to malicious or unwanted landing pages.