Netskope Advanced Threat Protection recently detected ads being injected into web traffic of multiple users. The source of these ad injections is a Javascript ad injector commonly known as Lnkr. In this blog post, we will provide an overview of Lnkr, a list of all the URLs we have uncovered that are hosting the Lnkr Javascript, and identify the source of the injections.
Lnkr Ad Injector
Lnkr is family of adware that injects ads into websites that a user visits. Lnkr has previously been found in browser plugins, standalone Windows adware applications, rootkits, Android packages, and even directly included on some websites. The most common active distribution vector is browser extensions that inject ads into all of the user’s web traffic.
Discovery
The Lnkr campaign began in early September and continues through the time of this writing. We were first alerted to the campaign when our Outbreak Detection System found ads being injected into websites that do not commonly serve ads, including online banking portals and internal websites.
Disclosures
On 5 December 2019, we notified Amazon of the Lnkr scripts hosted in AWS S3.
Customer Alert
Customers using Netskope’s Next-Gen SWG are protected from the injected ads. Affected customers will see alerts in their Netskope Skope IT console that contain URLs like the following:
http://nextextlink[.]com/metric/?mid=&wid=51824&sid=&tid=7501&rid=LOADED&custom1=[redacted]&custom2=[redacted]&t=1569547496304
The URL contains one of the domains listed at the end of this post and tracking information from the website where the ads are injected.
Netskope users will be able to recognize Lnkr infections, because an infected user will typically have a very high volume of alerts for one of the URLs listed at the end of this post.
Mitigation
Because the most common active distribution vector is Chrome extensions, we recommend removing all Chrome extensions on an affected system and doing a fresh install of Chrome. If the infection persists, the system might be infected with other malware that bundles the adware.
Lnkr Analysis
The Lnkr Javascript is either directly included by a website or injected by the adware, as seen in Figure 1.
Figure 1: Website with Lnkr script
Though analytics.js, lknr5.js and lnkr30_nt.js are related to Lnkr, the main activity is carried out by the ‘analytics.js’ file in the snippet shown in Figure 1.
Upon visiting the webpage, the following actions take place:
- A jsonp request is launched in the format /optout/get?jsonp=__twb_cb_808309138&key=1940453547ec8d17dd&t=1573556950225 as shown in Figure 2.