Home Malware Programs Browser Plugins LNKR


Posted: May 7, 2020

LNKR is a corrupted browser extension that monitors the user's Web-browsing history for monetization purposes. LNKR also may self-propagate by inserting its code into user-edited Web pages and use these scripts for a range of additional, JavaScript-based attacks. Users should remove LNKR extensions immediately through dedicated anti-malware tools and doublecheck any pertinent Website code for potential tampering.

Browser Spies Moonlighting as Website Editors

The humble browser extension can range from an ad-blocker or a wishlist tool to nuisances like MapBeast Ads or, in the worst case, a security risk that's no different from any Trojan. LNKR, a member of that last category, is an extension-based form of spyware that tracks the user as they surf the Web. What makes LNKR different from most threats that our malware researchers catch doing similar reconnaissance is its extra injection features, which make it a de facto Web page editor.

LNKR is a Chrome extension, a la RespectSale Ads, FlashFree, and countless others. It tracks both the user's Websites visited, and their interactions with advertising overlays – presumably, for editing by injecting third-party affiliate content for its threat actor. The format uses JavaScript, with most abuses involving unwanted advertisements and similar monetizations. However, JavaScript also is viable for a range of other functions and possible attacks. Possibilities include drive-by-downloads of different threats and the non-consensual use of cryptocurrency miners.

By far, LNKR's most intriguing feature is a subset of its JavaScript injection, which also may target Web pages that users have write access for editing purposes. With such an attack, LNKR could insert its affiliate content, even including promotional links for itself, into Web pages that the user is responsible for maintaining. For now, malware experts only see LNKR using JavaScript related to its personally-monetized campaign. However, there are no hard restrictions on the JavaScript content that it can display through either method forcibly – either for the first victim or further victims browsing the first one's Website.

Curating Your Browsing Experience for Everyone's Safety

Infection techniques for LNKR extension are, thankfully, well-known. The threat uses a range of different Chrome extensions (malware analysts can't yet confirm any variants ported to other browsers) for hiding itself behind helpful services and soliciting downloads. In some cases, the campaigns compromised legitimate resources like the official Chrome Web Store successfully. Users can check reviews for suspicious history and always should scan their downloads with proper security software before opening or installing them.

Website administrators and owners also have unique responsibilities concerning LNKR attacks. For smaller Websites, users may identify LNKR's JavaScript additions by sight. Where this is impractical, both free and premium tools exist for identifying corrupted Web page code, and, as always, the existence of recent backups will serve as an optimal rollback strategy.

While browsing the Web, users can deactivate JavaScript by default through appropriate security features and add-ons, which will mitigate the immediate risks from LNKR. However, they also should remove LNKR from their browsers with a trusted anti-malware service.

A browser extension that's making money off of the backs of unwitting Web surfers isn't a new phenomenon, but LNKR goes to impressive lengths for its money. Its two-pronged strategy is a good reason for investing in cyber-security with a holistic mindset since what affects even just one user makes ripples throughout the Web.