As mentioned in a recently published article at the 2024 Web Conference, what are known as “phantom domains” enable malicious individuals to seize hyperlinks and exploit the trust of users in familiar websites.

The study describes phantom domains as live links to dot-com domains that have never been registered.

Enterprises should be aware of how phantom domains arise, the risks they carry, and how to disrupt phantom attacks. Two main types of phantom domains are: Errors and placeholders.

Domain mistakes

Mistakes occur when web developers or administrators make errors, like incorrectly spelling the desired domain destination. This results in a link that appears legitimate but leads nowhere.

For example, consider a hypothetical sporting goods store called Bob’s Sports Gear. Bob’s website is www.bobssportsgear.com. Links on the website should direct to subdomains of this root domain, like /products, /about, or /contact. A simple error could lead to a phantom domain.

Due to a time constraint on completing their new website, Bob’s team mistakenly entered www.bobsportsgear.com instead of www.bobssportsgear.com on the homepage. The only difference is the missing “s” in the domain name. Such mistakes often go unnoticed for weeks or even months due to their closeness to the actual site name.

Temporary domains

Developers might also utilize temporary domains for links. These links may point to domains that are not yet live but part of a larger web project. If the project is abandoned and the links aren’t removed, they remain active but essentially useless.

Continuing the earlier example, Bob plans to expand his business to include outdoor gear for camping, fishing, and BBQs. While developers work on the new site, they add a placeholder link on the original Bob’s Sports website directing to www.bobsoutdoorgear.com. However, due to changing market conditions, the site never materializes, but the link remains active.

Temporary links can also surface when companies buy web templates from designers or developers. These templates often contain placeholder links to meaningless domains that need to be replaced by businesses before launching the website.

According to the study, there are currently links to over 572,000 phantom domains on the web.

Discover IBM cybersecurity services

The ghost threat

Phantom domains turn into potential attack routes when taken over by malicious agents. If attackers find a typo in a link on a prominent site leading to a phantom domain, they could buy it at a low price. By becoming the new domain owners, they can register and create a spoofed version of the legitimate site. To users, clicking a link on a trustworthy website appears to keep them on the same page, but they’ve actually landed on a counterfeit page that may request their credentials or push them to download infected files.

The outcome? Hijacked links on reliable pages that users may click without scrutiny due to lowered guard. Spoofing attacks through phantom links increase the chances of success for attackers significantly. An analysis of 51 purchased and registered phantom domains revealed that 88% surpassed the traffic of a control domain, sometimes reaching up to 10 times more visits.

Education is crucial

From an educational perspective, companies must convey the inherent risks of any link on any page—rather than just those in unsolicited emails or texts. Fake websites are frequently used by cybercriminals in phishing and smishing attacks, prompting firms to instruct employees on spotting and avoiding such deceptive links.

At its core, the lesson is straightforward: Avoid clicking on unfamiliar links. Sound advice that significantly decreases the likelihood of compromise. However, the issue with phantom domains is that the danger doesn’t originate from cybercriminals, but from users landing on a trusted site with a recognizable URL. Trusting the site is secure, users skip scrutinizing every link—believing the site owners have already safeguarded hyperlink integrity.

From users’ perspective, there is no perceived risk: they accessed the right URL, interacted with a secure link, and shared their credentials in response to a legitimate request.

Craft your strategy

To act, companies should proactively scan their web pages for non-functional links. While free tools exist for this task, leveraging AI to detect phantom links, check their current status, and evaluate potential risks on associated sites is an additional option.

Implementing credential management solutions offering autofill for trusted sites but not for unknown URLs is advisable. Thus, these security tools autofill login data if users land on the legitimate e-commerce login page for www.bobssportsgear.com. If, however, they land on bobsportsgear.com, the credentials won’t populate. While not foolproof against hijacked links, this action prompts users to consider the situation and its causes.

Eliminating the vulnerable spot(s)

Links to phantom domains aren’t inherently dangerous—provided companies regularly review sites for mistyped URLs and eliminate any placeholder links, the risk of hijacked links diminishes.

However, the challenge lies in companies only having control over their sites. If employees visit trusted banking, e-commerce, or business partner sites affected by malicious actions, the outcome mirrors phishing or spoofing attacks.

Expectedly, the key to removing vulnerabilities is acknowledging they’re human rather than digital. By training staff to verify domains before clicking through, enterprises can reduce the threat of hijacked hyperlink incidents.