A new report from NordVPN paints an ugly picture of what can happen when users wander into the internet’s shadier neighborhoods.
According to research shared with NERDS.xyz by NordVPN’s Threat Intelligence team, a sophisticated adware operation has been found on at least 50,000 active websites! The campaign appears to thrive on sites offering pirated movies and TV shows, torrent downloads, underground forums, and adult content.
Calling it adware almost feels too generous.
NordVPN says the software does much more than flood browsers with annoying ads. It fingerprints visitors, tracks behavior across browsing sessions, detects ad blockers, and can redirect users to phishing pages, scams, and malware downloads.
Researchers found that users don’t even have to click an advertisement to trigger the redirects. On infected sites, ordinary clicks anywhere on a page can potentially send visitors somewhere they never intended to go.
“If you’re not paying for a product, you are often the product,” said Marijus Briedis, CTO at NordVPN. “This campaign shows how cybercriminals turn user attention, personal data, and risky browsing habits into revenue at industrial scale. What looks like a free stream or download can quickly become a gateway to tracking, scams, and malware.”
The amount of information allegedly collected is extensive. NordVPN says the adware gathers details about a visitor’s hardware, browser, operating system, language settings, installed fonts, and plugins. It also tracks behavioral information such as scrolling activity, referral sources, and clicks.
The software reportedly goes a step further by checking for cryptocurrency wallet extensions such as MetaMask and collecting additional signals that help build a detailed profile of each visitor.
The campaign is also designed to fight back against defenses. NordVPN says it can detect ad blockers and switch to fresh domains in an effort to avoid being blocked. Researchers also found behavior intended to hide malicious activity from search engine crawlers.
According to the company, hundreds of thousands of NordVPN users encounter activity connected to this operation every month.
As with any security report released by a company that sells security products, readers should keep in mind that there is a business incentive to highlight online threats. Still, none of the recommendations here are particularly controversial. Avoiding piracy sites, refusing notification requests from sketchy pages, and keeping browsers and security tools updated remain smart advice.
Perhaps the biggest takeaway is how much adware has changed over the years. The old days of obnoxious pop-ups and blinking banner ads have given way to something far more sophisticated… and potentially far more dangerous.
Support independent tech journalism
NERDS.xyz is independently owned and operated. If you enjoy my coverage of Linux, AI, hardware, cybersecurity, and tech culture, consider supporting the site on Ko-fi.
Support NERDS.xyz