According to a recent paper published at the 2024 Web Conference, so-called “phantom domains” make it possible for malicious actors to hijack hyperlinks and exploit users’ trust in familiar websites.

The research defines phantom domains as active links to dot-com domains that have never been registered.

Here’s what enterprises need to know about how phantom domains emerge, the potential risks they represent and what they can do to disrupt phantom attacks. There are two common types of phantom domains: Errors and placeholders.

Domain errors

Errors occur when web developers or administrators make mistakes, such as misspelling the intended domain destination. The result is a link that looks legitimate but instead goes nowhere. 

Consider the example of a fictional sporting goods store, Bob’s Sports Gear. As expected, Bob’s website is www.bobssportsgear.com. Links on the company’s website should point to subdomains of this top-level domain, such as /products, /about or /contact. A simple mistake, however, can create a phantom domain.

With Bob’s under a time crunch to complete their new website, one (or more) links on the homepage are entered as www.bobsportsgear.com. It’s a simple error — all that’s missing is the second “s” in the domain name. Because the mistake is so close to the actual site name, it’s easy for these errors to go unnoticed for weeks or months.

Placeholder domains

Developers may also use placeholder domains for links. Placeholder links may point to domains that aren’t live yet but are part of a larger web project. If the project isn’t completed and the links aren’t removed, they remain active but effectively useless.

Continuing with the example from above, Bob decides to expand his business and start selling outdoor goods for camping, fishing and BBQing. While developers get to work on the new site, his team adds a placeholder link on the original Bob’s Sports website that points to www.bobsoutdoorgear.com. Unfortunately, changing market conditions force Bob to scrap the idea. The website is never completed — but the link remains active.

Placeholder links may also pop up when companies purchase web templates directly from designers or developers. These templates often contain placeholder links to nonsense domains that should be replaced by businesses before the website goes live.

According to the paper, these domains aren’t digital outliers — the web currently contains links to more than 572,000 phantom domains.

The phantom menace

Phantom domains become potential attack vectors when compromised by malicious actors. If attackers discover a misspelled link on a popular website that leads to a phantom domain, they could purchase this domain, often for a low cost. As the new owners of the domain, they properly register and list their website, then create a spoofed copy of the legitimate site. From a user’s perspective, clicking a link on a trusted webpage takes them to another section of that same webpage — in actuality, they’ve arrived on a fake page that may ask for their credentials or convince them to download infected files.

The result? Hijacked hyperlinks on trusted pages — hyperlinks that users may click through without checking for typos or other issues because their guard isn’t up. Spoofing attacks tied to phantom links offer a significantly higher likelihood of success for attackers. For example, an analysis of 51 phantom domains bought and registered found that 88% exceeded the traffic of a control domain, sometimes up to 10 times more visits.

Education is key

From an education standpoint, enterprises need to communicate the inherent risk of any link on any page — not just those that appear in unsolicited emails or text messages.  Spoofed websites are a common tactic used by cyber criminals in phishing and smishing attacks, which has led many enterprises to invest time and effort in teaching staff to recognize and avoid the risk of spoofed links.

Pared down to its basic premise, this education is simple: Don’t click on links you don’t recognize. It’s good advice, and it helps companies significantly reduce the risk of compromise. The problem with phantom domains, however, is that compromise doesn’t start with cyber criminals. Instead, users navigate to a legitimate website with a familiar URL. Because the site is familiar, they don’t spend time checking every link on the page — instead, they assume the owners of the site have done their due diligence to ensure hyperlink security.

From the users’ perspective, no risk exists: they entered the right URL, clicked on a secure link and provided their credential data in response to a legitimate request.

Build your action plan

When it comes to action, companies need to ensure they’re actively scanning their web pages for links that don’t lead anywhere. Free tools are available for this purpose, but there’s also an opportunity here to leverage AI to find phantom links, check if they’re now tied to active websites and assess the potential risk of those sites.

It’s also worth deploying credential management tools that offer autofill options for trusted sites. but won’t populate credentials for unknown URLs. This means that if users land on the e-commerce account login page for www.bobssportsgear.com, security tools will automatically provide login data. If, however, they’ve ended up on bobsportsgear.com, credentials won’t appear. While this isn’t a 100% deterrent against hijacked hyperlinks, it’s often enough to get users thinking about what’s going on, and why it’s happening.

Eliminating the weakest link(s)

Links to phantom domains don’t pose an inherent risk — so long as companies ensure they review websites for misspelled URLs and remove any placeholder links, hijacked hyperlinks are impossible.

The challenge, however, is that enterprise control only extends to the sites they own. If staff visit trusted banking, e-commerce or business partner websites that have been subject to spooky action, the results are much the same as phishing or spoofing attacks.

Not surprisingly, the secret to eliminating weakest links is recognizing that they’re human rather than digital. By training staff to double-check domains before they click through, companies can reduce the risk of hijacked hyperlink hacks.