The risks associated with parked domains- a gateway to grave cyberattacks
Brand owners buy domains and park them for several reasons, including future use or development and brand protection. Sometimes, they also buy them because they want to hold onto a name they like or identify with, even if they don’t have the purpose of developing it anytime soon.
Doesn’t this idea sound harmless at first?
Well, that’s not the ground reality, actually. Off lately, parked domains, or we should say ‘unsecured’ parked domains are becoming security vulnerabilities that threat actors take advantage of due to their dormant status.
In fact, well-known brands like Microsoft and DocuSigns’ parked domains have also been exploited. This is because phishing emails sent from reputed domains enhance their legitimacy and evade detection by secure email gateways (SEGs).
Common parked domain abuses
Business owners perceive parked domains as dormant and low-risk asset, overlooking their security. This mindset has contributed to the increase of following types of cyberattacks by exploiting parked domains.
Credential stealing
Threat actors typically use domains of trusted brands to deceive users into giving sensitive information, including login credentials. They set up a fake login page with a similar interface to the original website, tricking users into trusting the platforms and entering their credentials.
Malware distribution
Attackers hijack the DNS records of a parked domain to redirect traffic to malicious IP addresses or websites. This can involve changing the A record (which maps the domain to an IP address) or setting up malicious subdomains. As a result visitors to the parked domain are redirected to a site that servers malware, tries to steal credentials, or runs other malicious codes.
Another way they can distribute malware is by buying ad space on domain parking services that use advertising networks to monetize parked domains and injecting malicious ads into the ad network. So, whenever someone will click the advertisement, they will be taken to a website hosting malware or exploit kits.
Email phishing, spoofing, and ransomware
Parked domains with no proper authentication protocols (SPF, DKIM, and DMARC) are often used for phishing and spoofing emails. At times, malicious actors send emails to internal employees of the brand, requesting junior or mid-level employees to share sensitive data by impersonating a senior employee. Once they get access to the data, they demand ransom in exchange of getting rid of the copy, agreeing to not make it public, or sell it.
Search engine poisoning
Threat actors manipulate search engine rankings to push parked domains higher in search results, often using SEO techniques like keyword stuffing and backlinking. This way, they attract more visitors, leading them to insecure websites that distributes malware, request entering login credentials, or ask to share sensitive information.
Command and control servers
Bad actors use the DNS manipulation technique where they use dynamic DNS services with parked domains to frequently change the IP address associated with the domain. This makes it harder for defenders to track and block the C2 server. They may also exploit DNS queries and responses to communicate with malware by encoding commands in DNS traffic. Parked domains can be used to host these DNS servers, making it harder to detect C2 traffic.
Real-life example: Emotet Campaign
Cybercriminals used parked domains to spread malware through the Emotet botnet. Parked domains are inactive and often monetized through ads. Between March and September 2020, researchers found that about 1% of newly parked domains were misused for malware and phishing attacks. Parking services and ad networks often fail to filter out malicious advertisers, exposing users to threats.
Emotet’s attacks targeted multiple countries and various industries. One example is a domain, valleymedicalandsurgicalclinic.com, which was registered and parked in July 2020. By September, it was being used to deliver malware through phishing emails that stole credentials and compromised devices.
The Emotet botnet, initially a banking Trojan, has evolved to deliver various malware payloads, including QakBot and Trickbot, which can deploy ransomware like Ryuk and Conti. Some attacks also used COVID-19 themes to exploit fears, but they were not successful.
Preventing parked domain exploitation using SPF, DKIM, and DMARC
Using SPF, DKIM, and DMARC and robust email security measures for parked domains can help protect against email spoofing and phishing attacks that might abuse your domain name. Here’s how to implement these protocols for parked domains:
1. SPF (Sender Policy Framework)
SPF helps specify which mail servers are allowed to send email on behalf of your domain. For parked domains, you typically want to ensure no emails are sent, so you will set a restrictive SPF record.
2. DKIM (DomainKeys Identified Mail)
DKIM allows the recipient of an email to verify that it was indeed sent by the owner of the domain and that the message was not altered in transit. You won’t be sending emails for parked domains, so it’s an optional protocol.
3. DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC builds on SPF and DKIM by providing instructions on handling emails that fail SPF and/or DKIM checks. It also offers reporting capabilities.
Here is an example of a DMARC record–
v=DMARC1; p=reject; rua=mailto:your-email@example.com; ruf=mailto:your-email@example.com; fo=1;
Where:
- v=DMARC1: Specifies the DMARC version.
- p=reject: Instructs receiving mail servers to reject all emails that fail SPF or DKIM checks.
- rua=mailto:your-email@example.com: Provides an email address to receive aggregate reports about emails sent from your domain.
- ruf=mailto:your-email@example.com: Provides an email address to receive forensic reports on emails that fail DMARC checks.
- fo=1: Requests a report for every message that fails either SPF or DKIM.
Final words
To protect parked domains, enable domain locking and two-factor authentication (2FA) with your registrar to prevent unauthorized changes or transfers. Additionally, consider using WHOIS privacy protection to hide your personal information from potential attackers. By taking these proactive measures, you can significantly reduce the risk of your parked domains being compromised.
As for us, we can help you implement SPF, DKIM, and DMARC. Contact us to know more or get started.