How Domain Expiration Can Potentially Disrupt Other Websites

A website owner recently reached out to us about a pop-up advertisement problem on their website which occurred any time someone clicked anywhere on the web page.

This irritating pop-up didn’t come from malware placed in the website’s files or database, but rather from a single JavaScript source that the owner added to a widget:

External JavaScript Affiliate Tracking
At one point, this external JavaScript file had been used for affiliate tracking purposes, but the domain had expired earlier this year and registered by a new owner.

Affiliate Tracking Replaced With Pop-Up Ads

The new owner decided to park the domain at ParkingCrew. And now, whenever a Javascript file is requested from the parked domain, it loads a JavaScript pop-up advertisement code instead of the expected affiliate tracking code:

ParkingCrew Affiliate Tracking Code Serving AdsAs illustrated in the example below, a HTML WordPress widget uses the JavaScript source and loads it on the homepage with every click event.

How advertisements are loaded from ParkingCrew
The script loads an advertisement landing page commonly found on domain parking services like ParkingCrew.

In fact, the actual JavaScript used for this pop-up advertisement is the exact same used in an almost identical issue we encountered and detailed in this post three years ago.

It’s not clear if some of their users are purposely targeting domains like the expired one in this example or if they just register so many expired domains that it’s purely coincidental.

Domain Parking Services Linked to Pop-Up Ad Traffic

One noticeable thing is that the domain service ParkingCrew claims to use various tracking features to identify suspicious traffic from users trying to generate higher advertising traffic payouts.

Unfortunately, it looks as if Team Internet AG is the parent company to ParkingCrew. They also happen to own a traffic marketplace operating under the name TONIC. On TONIC’s website, potential users receive heavily advertised pop-up ad traffic.

Third-party TONIC JavaScript

As TONIC directly sells this type of traffic and benefits financially, it’s likely we’ll continue to see their services used in association with expired domains for third-party JavaScript sources.


While many site owners dedicate endless resources to promoting their products and services or attracting leads, this particular incident highlights the importance of also monitoring site components and overall functionality.

Each third-party element loaded onto your website decreases your website’s security. If the domain falls into the wrong hands, you may be at risk of serving unwanted ads, malicious redirects, or malware injections to site visitors.

To mitigate security risks, we always encourage website owners to keep all software (including third-party themes, plugins, and components) up to date. Also, perform audits on a regular basis.

In addition, you can use free monitoring services like Google Search Console to receive alerts whenever crawlers detect security issues. However, most free services are unable to access your web server and can miss malware at the server level. We recommend looking into professional website monitoring and alerting solutions to detect and mitigate all threats against your site.

You May Also Like