Online Ads Are Tracking You. Some Are Trying to Hack You.

Ad blocking isn't just about convenience. Malicious ads have delivered ransomware through Forbes, the New York Times, and the BBC. Meanwhile, even "legitimate" ads track you across every site you visit using methods most people have never heard of.

When Trusted Sites Served Malware

Malvertising - malware delivered through advertising networks - doesn't require visiting a dodgy website. It happens on sites you trust, because the ads are served by third-party networks that the site itself doesn't fully control.

Forbes.com (2015)

Forbes.com was compromised through its ad network, redirecting visitors to exploit kits that installed ransomware and other malware. The irony? Forbes was one of the first major sites to block visitors using ad blockers, essentially forcing them to disable their protection before serving them malicious ads.

The New York Times, BBC, and MSN (2016)

In a single campaign, rogue ads appeared across the New York Times, BBC, MSN, and AOL simultaneously. The ads redirected users to exploit kits designed to install ransomware. Millions of readers were potentially exposed before the ads were pulled.

Google Search Ads (2024-2026)

Attackers have been buying Google Search ads that impersonate legitimate software downloads. Users searching for popular tools see a sponsored result at the top - click it, and they're taken to a convincing fake page that installs info-stealing malware or ransomware. Google blocked over 5.1 billion ads and suspended 39.2 million advertiser accounts in 2024 alone, but the attacks keep evolving.

Facebook Ad Scams (2026)

In early 2026, Bitdefender researchers found over 310 active malvertising campaigns running through Facebook ads. These used celebrity impersonations and fake news articles to funnel victims into investment fraud schemes, operating across multiple languages and countries.

How Advertisers Track You Across Every Site

Even when ads aren't carrying malware, they're collecting data about you. Here's every major method advertisers use to follow you around the internet:

1. Third-Party Cookies

The method everyone knows about. An ad loads a cookie from its own domain (say, ads.tracker.com), and that same cookie is read every time you visit any other site running the same ad network. This builds a detailed profile of every site you visit.

Safari and Firefox already block these by default. Chrome still allows them - Google makes its money from targeted advertising, so they've repeatedly delayed phasing them out.

2. Browser Fingerprinting

This is the one most people don't know about, and it's far harder to block than cookies. Instead of storing anything on your device, fingerprinting collects a unique combination of your browser's characteristics:

• Screen resolution and colour depth
• Installed fonts
• GPU model (via WebGL rendering)
• Audio processing quirks (AudioContext API)
• Time zone, language, platform
• Canvas rendering - how your browser draws shapes (unique per device)

Combined, these create a fingerprint that identifies your specific browser with 95-99% accuracy. No cookies needed. Clearing your browser data doesn't help. Incognito mode doesn't help. The fingerprint stays the same.

3. Tracking Pixels

A 1x1 invisible image loaded on a page or in an email. When it loads, it pings a server with your IP address, device type, browser info, and the exact time you opened the page or email. You never see it, and unlike cookies, there's nothing stored on your device to delete.

Every major email marketing platform uses these. That email you opened? The sender knows when, where, and on what device.

4. CNAME Cloaking

This is how trackers defeat ad blockers. Normally, ad blockers work by blocking requests to known tracking domains (like tracker.facebook.com). CNAME cloaking gets around this by having the website create a subdomain (like data.example.com) that secretly redirects to the tracking company's servers using a DNS record.

To your browser and your ad blocker, it looks like a normal first-party request to the site you're visiting. In reality, your data is being sent to a third party. Worse, this technique can accidentally send your login session cookies to the tracker.

5. Cross-Device Tracking

If you're logged into the same service on your phone and laptop (Google, Facebook, Amazon), they can link your browsing across both devices. Some companies use ultrasonic beacons - inaudible sounds played through ads on your TV or laptop that your phone's microphone picks up, linking the devices without any login required.

6. Server-Side Tracking

The newest evolution. Instead of running tracking code in your browser (where ad blockers can intercept it), the website's server collects your data and sends it directly to the advertising platform server-to-server. Your browser never sees the tracking request, so it can't be blocked by any browser extension.

The Privacy Compromise

All of these methods combine to create a detailed profile of who you are, what you read, what you buy, where you go, and what you're interested in. This data is bought and sold through ad exchanges in real-time auctions that happen in the milliseconds while a page loads.

Individually, each piece of data seems harmless. Together, they form a profile that can reveal:

• Health conditions (from sites you visit)
• Political views (from articles you read)
• Financial status (from products you browse)
• Relationship status and sexual orientation
• Your daily routine and physical location

This data doesn't just stay with advertisers. Data brokers aggregate and resell it. It's been used in insurance decisions, employment screening, and has been exposed in multiple data breaches.

What Actually Helps

No single tool blocks everything, but layering protections makes a significant difference:

• Ad blocking stops the most obvious trackers and prevents malvertising. It's the single most effective step you can take.
• Cookie auto-rejection prevents third-party cookies from building cross-site profiles.
• Tracker stripping removes tracking parameters from URLs before they load (those ?utm_source= and ?fbclid= tags).
• CNAME cloaking detection identifies when "first-party" subdomains are secretly redirecting to known tracking companies, and blocks them before your data leaves.
• Fingerprint scrambling adds subtle noise to Canvas, WebGL, and AudioContext data so each site sees a slightly different device profile. This defeats both browser fingerprinting AND server-side tracking - even when the server forwards your data to ad platforms, the fingerprint it sends is randomised and useless for cross-site identification.

Five layers of FDat!

FDat! Privacy Tool combines ad blocking, tracker stripping, and cookie rejection in a single extension - the three biggest attack surfaces handled without configuring anything.

In 2025 we implemented our unique Smart Routing feature, but that didn't help with everyday browsing, so we beefed it up with Fingerprint Shield and CNAME cloaking detection.
Fingerprint Shield scrambles your browser's identifying signals so trackers can't build a consistent profile across sites - and because the scrambled data is what gets sent to first-party servers, it also undermines server-side tracking.
CNAME detection uses constantly updated blocklists of known cloaked domains to catch trackers that disguise themselves as first-party requests.