Netskope named a Leader in the 2024 Gartner® Magic Quadrant™ for Security Service Edge. Get the report

close
magnifying glass
Get Started
magnifying glass
Support
chevron
Support Language
close
  • Why Netskope chevron

    Changing the way networking and security work together.

  • Our Customers chevron

    Netskope serves more than 3,000 customers worldwide including more than 25 of the Fortune 100

  • Our Partners chevron

    We partner with security leaders to help you secure your journey to the cloud.

Still Highest in Execution.
Still Furthest in Vision.

Learn why 2024 Gartner® Magic Quadrant™ named Netskope a Leader for Security Service Edge the third consecutive year.

Get the report
Netskope Named a Leader in the 2024 Gartner® Magic Quadrant™ for Security Service Edge graphic for menu
We help our customers to be Ready for Anything

See our customers
Woman smiling with glasses looking out window
Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.

Learn about Netskope Partners
Group of diverse young professionals smiling
Your Network of Tomorrow

Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.

Get the white paper
Your Network of Tomorrow
Introducing the Netskope One Platform

Netskope One is a cloud-native platform that offers converged security and networking services to enable your SASE and zero trust transformation.

Learn about Netskope One
Abstract with blue lighting
Embrace a Secure Access Service Edge (SASE) architecture

Netskope NewEdge is the world’s largest, highest-performing security private cloud and provides customers with unparalleled service coverage, performance and resilience.

Learn about NewEdge
NewEdge
Netskope Cloud Exchange

The Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.

Learn about Cloud Exchange
Netskope video
Explore Borderless SD-WAN
The platform of the future is Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG), and Private Access for ZTNA built natively into a single solution to help every business on its journey to Secure Access Service Edge (SASE) architecture.

Go to Products Overview
Netskope video
Next Gen SASE Branch is hybrid — connected, secured, and automated

Netskope Next Gen SASE Branch converges Context-Aware SASE Fabric, Zero-Trust Hybrid Security, and SkopeAI-powered Cloud Orchestrator into a unified cloud offering, ushering in a fully modernized branch experience for the borderless enterprise.

Learn about Next Gen SASE Branch
People at the open space office
Designing a SASE Architecture For Dummies

Get your complimentary copy of the only guide to SASE design you’ll ever need.

Get the eBook
Go to Solutions Overview
Go to Solutions Overview
Go to Solutions Overview
Go to Industries Overview
Make the move to market-leading cloud security services with minimal latency and high reliability.

Learn about NewEdge
Lighted highway through mountainside switchbacks
Safely enable the use of generative AI applications with application access control, real-time user coaching, and best-in-class data protection.

Learn how we secure generative AI use
Safely Enable ChatGPT and Generative AI
Zero trust solutions for SSE and SASE deployments

Learn about Zero Trust
Boat driving through open sea
Netskope achieves FedRAMP High Authorization

Choose Netskope GovCloud to accelerate your agency’s transformation.

Learn about Netskope GovCloud
Netskope GovCloud
  • Resources chevron

    Learn more about how Netskope can help you secure your journey to the cloud.

  • Blog chevron

    Learn how Netskope enables security and networking transformation through security service edge (SSE)

  • Events and Workshops chevron

    Stay ahead of the latest security trends and connect with your peers.

  • Security Defined chevron

    Everything you need to know in our cybersecurity encyclopedia.

Security Visionaries Podcast

How to Use a Magic Quadrant and Other Industry Research
In this episode Max Havey, Steve Riley and Mona Faulkner dissect the intricate process of creating a Magic Quadrant and why it's much more than just a chart.

Play the podcast
How to Use a Magic Quadrant and Other Industry Research podcast
Latest Blogs

Read how Netskope can enable the Zero Trust and SASE journey through security service edge (SSE) capabilities.

Read the blog
Sunrise and cloudy sky
SASE Week 2023: Your SASE journey starts now!

Replay sessions from the fourth annual SASE Week.

Explore sessions
SASE Week 2023
What is Security Service Edge?

Explore the security side of SASE, the future of network and protection in the cloud.

Learn about Security Service Edge
Four-way roundabout
  • Company chevron

    We help you stay ahead of cloud, data, and network security challenges.

  • Leadership chevron

    Our leadership team is fiercely committed to doing everything it takes to make our customers successful.

  • Customer Solutions chevron

    We are here for you and with you every step of the way, ensuring your success with Netskope.

  • Training and Certification chevron

    Netskope training will help you become a cloud security expert.

Go to Customer Solutions
Netskope Training
Supporting sustainability through data security

Netskope is proud to participate in Vision 2045: an initiative aimed to raise awareness on private industry’s role in sustainability.

Find out more
Supporting Sustainability Through Data Security
Thinkers, builders, dreamers, innovators. Together, we deliver cutting-edge cloud security solutions to help our customers protect their data and people.

Meet our team
Group of hikers scaling a snowy mountain
Netskope’s talented and experienced Professional Services team provides a prescriptive approach to your successful implementation.

Learn about Professional Services
Netskope Professional Services
Secure your digital transformation journey and make the most of your cloud, web, and private applications with Netskope training.

Learn about Training and Certifications
Group of young professionals working

Lnkr Makes a Comeback – This Ad’s For Us

Jul 10 2020
By Ashwin Vamshi

Previously Netskope Threat Labs published a blog post about a Lnkr ad injector campaign launched using Google Chrome extensions. As Figure 1 illustrates, the number of Lnkr infections spiked dramatically in November 2019 and again in the spring of 2020, when Brian Krebs uncovered information about the source of the infected Chrome extensions. Today, we’re revisiting the Lnkr adware because:

  1. We have observed a rise in the number of Lnkr infections starting in May and continuing through June, indicating that newly infected Chrome extensions are appearing again.
  2. We have identified new web pages that were infected with Lnkr and identified the root cause to be a form of fanout, where an infected user infects a webpage when they edit it.
  3. We have identified 155 new domains hosting Lnkr that are associated with these new extensions and infected websites.
Graph showing recent spikes in ad injector infected users
Figure 1: Ad injector infected users

Infected users

The latest rise of infected users began in early May and continued through the month of June. As was the case in the previous two spikes, only Google Chrome users were affected. The infected extensions inject trackers and ads into the user’s web traffic, including online banking portals and intranet sites, giving the attackers detailed visibility into an infected user’s browsing habits.

The infection occurs when a user installs an infected extension. This might happen when:

  • The user installs a new extension that is infected.
  • The user updates to the latest version of an already installed extension that is newly infected.

We also have evidence from external sources supporting that Lnkr infections are widespread. ESET’s Q1 Report lists hardyload[.]com as one of the top 10 malicious blocked domains. This Lnkr domain ranks second in our list, behind only brounelink[.]com. An excerpt of this report is shown in Figure 2. 

List of top 10 blocked Malware, Scam, and Phishing domains in Q1 2020 from ESET
Figure 2: hardyload[.]com listed as the top 10 blocked malicious domain

We also found brounelink[.]com to be the primary domain used in a widespread infection affecting school students. A Google Chrome support post stated, “Students were unable to access shared documents, watch embedded videos, save work in Google drive, and use Google Hangouts. Once allow listed, www.brounelink[.]com in Trend, all the problems went away.” An excerpt of the article is shown in Figure 3.

Screenshot of Google Chrome help section article about brounelink[.]com
Figure 3: Google Chrome help section article about brounelink[.]com

Infected web pages

Netskope Threat Labs have identified more than 1,500 web pages that were infected with Lnkr. There are several ways a website might become infected with Lnkr. For example, the owner of the website might deliberately include the code for monetization, or a developer might accidentally infect the website if they themselves are infected. We found multiple examples of websites that were accidentally infected. In one example, a Marketo webpage was accidentally infected when an infected user edited the webpage and the infected Chrome Extension injected the Lnkr code into the HTML they were editing. They saved their changes, which included the Lnkr code, and published it to the website.

These accidental infections follow a similar pattern to our October 2019 post showing how GitHub Pages sites became infected with Ramnit. In the Ramnit case, the culprit was a file infector that infected the files in a GitHub repository. In the Lnkr case, an infected Chrome extension injected the Lnkr script into web pages that were being edited in the browser.

This ad’s for us

Netskope Threat Labs analyzed more than 1000 Lnkr ad injector scripts, including the scripts hosted on the 155 new domains we identified, and found that they all referenced the same domain: thisadsfor[.]us, as shown in Figure 4.

Optional advertisements message template containing the domain thisadsfor[.]us
Figure 4: Optional advertisements message template containing the domain thisadsfor[.]us

As described in Brian Krebs’s article, the domain thisadsfor[.]us is registered to Frank Medison (Email – frankomedison1020@gmail[.]com), who has also been tied to similar websites related to dodgy toolbars, add ons, and extensions. The references to thisadsfor[.]us in all of the new domains we identified indicates that this is either the work of the same actor or a new actor that has borrowed from the earlier work without making any significant changes.

Conclusion

The development of the Lnkr campaign is active and still ongoing. Netskope Threat Labs recommends you:

  • Audit the extensions installed in your Chrome browser at chrome://extensions and remove any affected extensions
  • Search your website for the domains listed at the end of the post and remove any scripts or links that reference them.
  • Block the domains listed at the end of this post.

Indicators of compromise

Updated set of Lnkr Urls( Including the 155 new domains)

thisadsfor[.]us

plusdroop[.]net

coolpagecup[.]com

cooljorrd[.]com

platewolf[.]com

nightroi[.]com

bugdepromo[.]com

tracksmall[.]com

jaramyouk[.]org

marryjoy[.]net

ideafrank[.]com

rayanplug[.]xyz

signagetop[.]org

transmapp[.]com

magictraps[.]com

protrois[.]com

craftprimes[.]com

cilkonlay[.]com

pagescr[.]cool

jobsaddy[.]xyz

mikkymax[.]com

donewrork[.]org

cozytech[.]biz

minisrclink[.]cool

clipsold[.]com

criticalltech[.]com

vildlonger[.]com

dashvintage[.]biz

toolsmagick[.]com

linkpowerapp[.]com

extnetcool[.]com

darkflags[.]net

crisgrey[.]com

peterjonny[.]com

mobiclean[.]xyz

linkojager[.]org

higedev[.]cool

cloffext[.]com

flexylincks[.]com

miniklixk[.]org

protesidenext[.]com

outsource[.]cool

golinkapp[.]com

remaideout[.]com

oilcloze[.]com

roxlock[.]com

dimagesrc[.]com

brounelink[.]com

autroliner[.]com

klarittyjoy[.]com

cdn-mxpnl[.]com

www[.]billyjons[.]net

modelwork[.]org

madelinkapp[.]com

jonysource[.]com

qwentyextext[.]com

loidjony[.]net

miragecall[.]com

browfileext[.]com

nextextlink[.]com

ciclonrox[.]com

proghage[.]com

peterfire[.]net

mabydick[.]com

cybertransfer[.]net

returnweb[.]org

srctestlink[.]com

linksource[.]cool

acountscr[.]cool

tribedone[.]org

licupexthis[.]com

yourrecovery[.]net

genyhome[.]com

clicksapp[.]net

drivemute[.]net

loudfire[.]net

miragework[.]com

linkproext[.]com

cdnclntr[.]com

lowffdompro[.]com

rockypride[.]com

amptylogick[.]com

petercontry[.]net

vibeclimate[.]com

appslinker[.]net

meextffcon[.]com

contendevff[.]com

printapplink[.]com

smackbolt[.]com

artistickplan[.]com

blinkloide[.]com

hardyload[.]com

www[.]proudflex[.]org

blancfox[.]com

milkpload[.]net

loudsjack[.]com

biglinksrc[.]cool

manextdev[.]com

slickfluide[.]com

polinaryapp[.]com

clarklordy[.]com

wellgolink[.]com

cannotjojeph[.]com

proudflex[.]org

serenityart[.]biz

highmakeext[.]com

permissnew[.]com

mirextpro[.]com

addonfiles[.]com

fourgekross[.]com

lokimtogo[.]xyz

ratexchange[.]net

poligloteapp[.]org

lisegreen[.]biz

cardinaldata[.]net

fileryjon[.]com

caplinkff[.]com

statsrc[.]cool

lifebounce[.]net

proxdevcool[.]com

goldapps[.]org

nowexttype[.]com

dataanalytic[.]biz

shopstorys[.]com

mirakay[.]biz

cloneclicks[.]com

makesure[.]biz

screensrc[.]com

colextidapp[.]com

kellysford[.]com

jsfuel[.]com

simonzody[.]com

srclinkapp[.]biz

brigstoneapp[.]com

foundfax[.]com

www[.]killssource[.]com

linkangood[.]com

joshtower[.]net

treestarys[.]com

taiwanbike[.]com[.]tw

newholynursinghome[.]com

billyjons[.]net

hugoclose[.]com

interjoan[.]com

cosmeticsrc[.]com

lonelyfix[.]com

scrextdow[.]com

dogsamily[.]net

blinkjork[.]com

qualityprimes[.]com

singlactive[.]com

loungesrc[.]net

storysrc[.]com

madeapplink[.]com

windinspext[.]com

icontent[.]us

massehight[.]com

soursejone[.]com

richhamond[.]com

dowlextff[.]com

plankjock[.]com

promlinkdev[.]com

killssource[.]com

clickwoob[.]net

joyshoul[.]com

makesource[.]cool

sysfileff[.]com

worldmodel[.]biz

domtopro[.]com

gullyclock[.]com

jaretsummer[.]com

amytroy[.]com

practiclick[.]xyz

ffpanelext[.]com

untsorce[.]cool

trableflick[.]com

comtakelink[.]xyz

psatgeremy[.]com

singtraff[.]cool

jonyplus[.]com

worksrc[.]cool

frimeduble[.]com

programdiag[.]com

evenffext[.]com

countmake[.]cool

mikkiload[.]com

zoudlogick[.]net

qalitygigant[.]com

extcoolff[.]com

giraslide[.]com

jackyhillty[.]net

workdevapp[.]com

crisdomson[.]com

rasenalong[.]com

browlinkdev[.]xyz

appmakedev[.]xyz

groproext[.]com

countsource[.]cool

profflinkgo[.]com

domclickext[.]xyz

extcuptool[.]com

scrlink[.]cool

cloudesky[.]com

meginaflight[.]com

pingclock[.]net

datapro[.]website

onlinekey[.]biz

netstats[.]space

joyglasses[.]net

mixappdev[.]com

devappstor[.]com

sourcelog[.]cool

actextdev[.]com

primalsuper[.]com

clogitec[.]com

cdnanalytics[.]xyz

extnotecat[.]com

trafficpage[.]cool

statcounter[.]biz

promclickapp[.]biz

clicksource[.]cool

1018433480[.]rsc[.]cdn77[.]org

1480876790[.]rsc[.]cdn77[.]org

blickkeily[.]com

captiontxt[.]com

clonyjohn[.]com

closemike[.]com

dataprovider[.]website

dismagic[.]com

jonyclose[.]com

larickway[.]com

leaderdigital[.]org

longsrc[.]com

masyclick[.]com

pagevalidation[.]space

prilapptime[.]com

renetteapp[.]com

shortyclubs[.]com

skillapp[.]net

sourcebig[.]cool

die-rheinische-affaire[.]de

thrillingos[.]herokuapp[.]com/mozilla/best-ytb-down/content/analytics

s3[.]amazonaws[.]com/cashe-js

s3[.]amazonaws[.]com/js-cache

s3[.]amazonaws[.]com/js-static

s3[.]amazonaws[.]com/jscache

s3[.]amazonaws[.]com/jsfile

s3[.]amazonaws[.]com/jscriptcdn

www[.]klarittyjoy[.]com

pslinker[.]net

transfer[.]net

pmakedev[.]xyz

ribedone[.]org

ngtraff[.]cool

arklordy[.]com

kyhillty[.]net

flinkdev[.]com

clickext[.]xyz

rcuplink[.]xyz

tapplink[.]com

onewrork[.]org

lytics[.]tools

linksrc[.]cool

ftprimes[.]com

eeforced[.]com

licksapp[.]net

fflinkgo[.]com

aplinkff[.]com

rldmodel[.]biz

urcelog[.]cool

olinkapp[.]com

enityart[.]biz

ounelink[.]com

senalong[.]com

powerapp[.]com

ider[.]group

oungesrc[.]net

< Threat Labs
Next Story >
< Back
Next >
author image
Ashwin Vamshi
Ashwin Vamshi is a Security Researcher with innate interest in targeted attacks and malwares using cloud services. He is primarily focusing in identifying new attack vectors and malwares, campaigns and threat actors using ‘cloud as an attack vector.’
Read More
More Articles by Ashwin Vamshi
Read full Bio
More articles

Related Articles

card shape
Threat Labs

Netskope Threat Labs Stats for March 2024

By Leandro Fróes
chevron Read the blog
card shape
Threat Labs

Netskope Threat Coverage: Evil Ant Ransomware

By Ghanashyam Satpathy
chevron Read the blog
card shape
Threat Labs

Cloud Threats Memo: Multiple Legitimate Cloud Storage Services Exploited to Target Israeli Organizations

By Paolo Passeri
chevron Read the blog
Show More

Stay informed!

Subscribe for the latest from the Netskope Blog