Also known as: Adware.Spigot, MacOS:Spigot
Platform: Windows, macOS
Variants: MACOS:Spigot-AY and multiple others (usually named adware/osx.spigot.[variant] or Adware.Spigot.[variant])
Damage potential: Browser interference (including redirects), changing the user’s home or new tab pages, ads injected into web pages, frequent pop-ups, theft of sensitive information, installation of undesirable software, malware infection.
Spigot is a type of adware that is often bundled with files downloaded from disreputable or compromised websites. When you run the downloaded file, Spigot secretly installs unwanted browser extensions or additional software to display intrusive advertisements on your device and potentially track your data. Ads served by Spigot can lead you to web pages containing scams or more malware.
Spigot tries to hide the unwanted software it installs behind known brands or legitimate-sounding names — for example, Spigot browser extensions may be called “Amazon shopping assistant” or “eBay shopping assistant.” Spigot will also typically change your default search engine, home page, and new tab page. In all cases, users will notice a marked increase in pop-ups and scammy web ads.
Other possible indicators of a Spigot infection include:
Your browser goes through multiple redirects when loading pages.
Your device starts to heat up due to background processes.
You notice third-party software that you don’t remember installing.
Specific keywords in websites are automatically hyperlinked to third-party sites.
Malicious ads are embedded in the infected browser to redirect you to promotional, dating, or pornography sites.
Banners for the same products appear uniformly across all websites.
Your device periodically sends data to unknown remote servers (Spigot is uploading victim information to its handlers).
Sources of the infection
Spigot is most often downloaded by the unwitting victim looking for freeware. To lure in victims, the apps or browser extensions hiding Spigot promise useful features, such as expanded search or download management functionality. Spigot may also be bundled with legitimate software downloaded from disreputable or compromised websites.
Your device may also get infected with Spigot from:
- Infected files shared through messaging platforms or SMS.
- Infected files downloaded from cloud storage or online repositories.
- Drive-by downloading (malicious scripts on compromised websites that force your device to automatically download malware when the page loads).
- Peer-to-peer (P2P) sharing of infected files.
- Infected external devices, such as hard drives or USB sticks.
To protect yourself against Spigot, you need to form good cybersecurity habits. Do not download files from suspicious websites, and learn to scan each download for malware before you open it. When possible, opt for a custom installation to unselect undesirable elements (such as unwanted browser extensions) and read each installation prompt carefully. In addition, verify the legitimacy of each browser extension you want to install — do not just blindly trust its name.
Other protective measures include:
Avoid potentially dangerous websites, like dark web pages or torrent repositories. These websites may host infected files or attempt to install malware (including Spigot) on your device as soon as you open them.
Do not open unverified attachments in emails or messaging apps, even from trusted contacts. Scanning these attachments with anti-malware tools may reveal hidden spyware or adware.
Use NordVPN’s Threat Protection to scan programs and files for malware while they’re being downloaded. Threat Protection will also alert you if you’re about to enter a known infected website to prevent drive-by-download attacks.
To get rid of Spigot, you need to remove the installed browser extensions and software from your device. Spigot removal may be done manually or by using a reputable anti-malware app.
Keep in mind that Spigot may have installed itself on multiple browsers, so check each one you use for suspicious changes.