Application Security

LNKR Continues Attacks into the Holiday Season

by
No Malware

The PerimeterX Research Team recently discovered a string of incidents tied to LNKR. Previously discovered by researchers in 2016 and making a comeback this summer, LNKR has reappeared and is continuing to attack websites going into the holiday season.

For the complete details, please read the technical research blog by Ben Baryo.

What is LNKR?

LNKR is a type of malware that is carried out through Chrome browser extensions. It adds JavaScript to web pages that can track browser activity and replace existing ads with its own, possibly malicious ads. Bad actors use this to generate revenue or to track user behavior. For example, LNKR malware can replace Google search results or replace existing ad elements and iframes on a page with its own ads. LNKR is even more advanced than an average ad injection extension: it can also inject JavaScript code directly on the site onto pages that have user write-access such as a product or check-out page. This means any user that visits the page in the future, whether they have a LNKR browser extension or not, will experience the changes previously made on the page.

What is a Browser Extension?

Browser extensions are small software programs, built with technologies such as JavaScript, HTML or CSS, that are designed to add specific functionality to standard web browsers. There are hundreds of thousands of extensions available for every popular browser. Coupon savings extensions, productivity tools, password managers, and helpful collaboration tools are some of the most popular, with millions of downloads and active users.

The Impact to E-commerce Business and Shoppers

There are hundreds of thousands of browser extensions. Some are malicious and bring malware with them, which can pose serious threats to both privacy and security.

When visiting a site, a consumer expects a smooth and trusted experience, but malicious ads and malware can result in the exact opposite. The average consumer typically doesn’t understand what they are getting when they add an extension to their browser. They believe malicious ads and malware come from the site owner - a belief that can really damage the site’s brand reputation.

The malware downloaded on the shopper’s browser follows them as they browse the internet. When visiting other sites in the future, the malware shows up, further interrupting their experience. Since much of this behavior happens on the client side, website owners have no visibility into any of it.

Take These Steps Before you Become a Target for Attackers

Online shoppers should conduct an audit of their current Chrome browser extensions and uninstall any suspicious ones. It’s important to stay cautious and look for warning signs when downloading extensions in the future. These warning signs include checking popularity of the extensions, including number of users and reviews. Extensions with only a few hundred users, and few or no reviews, should be considered suspicious. Users should also pay close attention to the permissions an extension requests. If it requires any privileged access, such as to read or change data, or access to a broad set of sites one visits, it might be best to pass. Consumers should also keep their browsers updated and use anti-virus and endpoint security solutions.

Website owners should look for solutions that can actively detect, manage and block malicious browser extensions on the client side. Any solution that is put in place needs to have customizable actions and give the site owner granular control to block or allow extensions according to business needs. The solution should be easy to deploy and work across all browsers - ideally as a single snippet of JavaScript that can be dropped into a web application template. It can’t slow down page loads or interfere with any calls for third-party JavaScript services such as shopping carts or payment engines. An ideal solution will handle the dynamic nature of browser extensions using machine learning that can study how the JavaScript extensions behave and then block those behaviors based on known patterns.

For more information on protecting your digital business from browser extensions, read The HIdden Threat to Your Website Conversions white paper.

Cybersecurity researchers at PerimeterX continue to investigate application security technologies to make the online experience safer for users. To stay updated on emerging threat research, subscribe to the PerimeterX blog.

PerimeterX is Named as a Leader in Bot Manangement by Forrester

Download Report
© PerimeterX, Inc. All rights reserved.