- NordVPN discovered adware campaign operating on 50,000 websites
- The malware collects very specific device data to profile and track you
- Adware can detect and bypass ad blockers with domains that change daily
Who doesn’t love a free movie? Unfortunately, a recently discovered cyber threat confirms the old adage: if the product is free, you are the product. NordVPN’s Threat Intelligence team has revealed a highly sophisticated adware campaign that managed to infect at least 50,000 active websites, turning the hunt for free content into a cybersecurity minefield.
The campaign specifically targets high-risk areas of the internet, including illegal streaming platforms, torrent portals, underground forums and adult websites.
Once a user lands on an infected page, the adware – a type of malware that hides behind online advertisements – deploys invasive tracking scripts to create a persistent profile of the user’s device, harvesting data ranging from its hardware specifications to whether or not it uses a crypto wallet.
“If you’re not paying for a product, you’re often the product,” says Marijus Briedis, CTO at NordVPN, explaining that what looks like a free stream or download can quickly become a gateway to tracking, scams, and malware.
According to NordVPN, the scale of the threat is immense. Every month, hundreds of thousands of the company’s users encounter infection attempts directly linked to this specific ad kit.
How the advertising campaign works
The operation works by loading a hidden JavaScript tag the moment a real person visits an infected website. To ensure maximum profit, the adware uses a fingerprinting module to create a persistent visitor ID stored directly on your device, allowing operators to track you even without using traditional cookies.
The volume of data collected by this script is staggering. It covers your CPU cores, RAM, operating system and installed plugins.
But it goes further than standard tracking. The adware actively scans for browser-injected crypto wallet tools like MetaMask, checks for motion signals such as accelerometer and gyroscope availability, and even uses favicon checks to determine if you are logged in to YouTube.
This very specific profile is then likely sold to third parties or used to target you with personalized scams.
“This campaign shows how cybercriminals are turning user attention, personal data and risky browsing habits into revenue on an industrial scale,” Briedis said.
Perhaps the most alarming aspect of this adware is how it aggressively hijacks your browsing experience.
You don’t even have to click on a visible ad to fall victim to it. A single click on an ordinary, non-advertising part of the infected web page can trigger a redirect, immediately sending you to phishing campaigns, malware download sites or subscription push traps.
If you think your current ad blocker is enough to keep you safe, think again. The adware actively detects when filtering protections are running in your browser. If it detects an ad blocker, it switches to a proxy bypass mechanism, dubbed “adblock-proxy-super-secret” by its creators, which generates at least three new domains every 24 hours.
This constant change allows malware to effortlessly avoid standard security blocklists. It even hides its malicious behavior if it detects a search engine bot, ensuring that infected pirate sites appear completely harmless to Google.
How to stay safe
To protect your digital life, Marijus Briedis, CTO of NordVPN, recommends taking the following precautions:
- Avoid “free” premium content: Stay away from piracy and illegal streaming sites, as these environments are hotbeds for adware and phishing.
- Use tracker protections: Using reputable ad blockers and trackers limits the execution of malicious scripts in your browser.
- Reject push notifications: If a sketchy website asks for permission to send you notifications, deny the request immediately.
- Update your software: Keep your browser and security tools updated to ensure they can detect the latest malicious scripts and deceptive redirects.
