- NordVPN discovered adware campaign operating across 50,000 websites
- The malware collects highly specific device data to profile and track you
- The adware can detect and bypass ad blockers with domains that change daily
Who doesn’t love a free movie? Unfortunately, a recently uncovered cyber threat is proving the old adage true: if the product is free, you are the product. NordVPN’s Threat Intelligence team has exposed a highly sophisticated adware campaign that has successfully infected at least 50,000 active websites, turning the hunt for free content into a cybersecurity minefield.
The campaign is specifically targeting high-risk corners of the internet, including illegal streaming platforms, torrent portals, underground forums, and adult websites.
Once a user lands on an infected page, the adware — a type of malware that hides behind online ads — deploys invasive tracking scripts to build a persistent profile of the user’s device, harvesting data that ranges from their hardware specs to whether they use a crypto wallet.
“If you’re not paying for a product, you are often the product,” says Marijus Briedis, CTO at NordVPN, explaining that what looks like a free stream or download can quickly become a gateway to tracking, scams, and malware.
According to NordVPN, the scale of the threat is immense. Every single month, hundreds of thousands of the company’s users encounter infection attempts tied directly to this specific adware kit.
How the adware campaign works
The operation works by loading a hidden JavaScript tag the moment a real person visits an infected website. To ensure maximum profit, the adware utilizes a fingerprinting module to build a persistent visitor ID stored directly on your device, allowing operators to track you even without using traditional cookies.
The sheer volume of data collected by this script is staggering. It scopes out your CPU cores, RAM, operating system, and installed plugins.
But it goes further than standard tracking. The adware actively hunts for browser-injected crypto wallet tools like MetaMask, checks for motion signals like accelerometer and gyroscope availability, and even uses favicon checks to figure out if you are logged into YouTube.
This highly specific profile is then likely sold to third parties or used to target you with customized scams.
“This campaign shows how cybercriminals turn user attention, personal data, and risky browsing habits into revenue at industrial scale,” said Briedis.
Perhaps the most alarming aspect of this adware is how aggressively it hijacks your browsing experience.
You don’t even need to click on a visible advertisement to fall victim. Simply clicking on an ordinary, non-advertising part of the infected webpage can trigger a redirect, immediately sending you to phishing campaigns, malware download sites, or push-subscription traps.
If you think your current ad blocker is enough to keep you safe, think again. The adware actively detects when filtering protections are running in your browser. If it spots an ad blocker, it switches to a proxy bypass mechanism, dubbed “adblock-proxy-super-secret” by its creators, which generates at least three brand new domains every 24 hours.
This constant shifting allows the malware to effortlessly dodge standard security blocklists. It even hides its malicious behavior if it detects a search engine bot, ensuring the infected pirate sites look completely harmless to Google.
How to stay safe
To protect your digital life, NordVPN’s CTO Marijus Briedis recommends taking the following precautions:
- Avoid “free” premium content: Stay away from piracy and illegal streaming sites, as these environments are hotbeds for adware and phishing.
- Use tracker protections: Employing reputable ad and tracker blockers limits malicious scripts from executing in your browser.
- Reject push notifications: If a sketchy website asks for permission to send you notifications, deny the request immediately.
- Update your software: Keep your browser and security tools up to date to ensure they can catch the latest malicious scripts and deceptive redirects.
https://cdn.mos.cms.futurecdn.net/syziJW6VhRCZRbcKNiKnRJ-2000-80.jpg
Source link
