Parked Domains Become Weapons with Direct Search Advertising

This report analyzes how parked and lookalike domains are weaponized through direct-search/zero-click parking and traffic distribution systems to deliver scams, scareware, and malware. It profiles three distinct domain portfolio operators — a torresdns holder with ~3,000 lookalikes (including gmai.com), a double "fast flux" operator rotating authoritative name servers and IPs (e.g., ic3.org), and domaincntrol.com which typos GoDaddy’s name servers and selectively targets Cloudflare (1.1.1.1) users — and details techniques such as device fingerprinting, multi-stage TDS redirection, cloaking, name server typosquatting, and selective resolver responses. The investigation observed active exploitation (Tedy, Babar, ClickFix attacks, BEC via typosquat mail) and provides indicators including SHA256 hashes, domains, nameserver domains, and IP addresses.