LNKR is malware that uses browser extensions for Chrome to track browsing activities of users and overlay ads on legitimate sites. Using extensions to add code that executes in a user's browser is a common and lucrative monetization technique on the internet, where spyware, adware, and other browser-based nuisances have thrived since the early days.
Seeing the Cyber Threat
RiskIQ crawlers don't install extensions, but the data we collect from our global discovery platform gives us unique insight into the LNKR threat. We can use known LNKR command and control (C2) domains and our Host Pairs data set, to determine if there was any inventoried infrastructure making calls to these C2 domains
Host pairs are unique relationships between pages that are observed by RiskIQ when we crawl a web page. Each pair has a direction of child or parent and a cause that outlines the relationship connection. These values provide insight into redirection sequences, dependent requests, or specific actions within a web page when it loads. What makes this data set powerful is the ability to understand relationships between hosts based on details from visiting the actual page.
Sure enough, we identified a trove of sites that had child requests making calls to LNKR C2 servers. After reviewing these sites, we found that the domains, as well as the format of the requests, matched LNKR. We were then able to determine if any of the affected parent websites existed within any of our customers' digital asset inventory, which proved beneficial to them.
Preventing the Cyber Threat
RiskIQ has the data to identify unique cutting edge attacks and the tools to comb through and assess the impact of previously unknown compromises. This ability is a distinct advantage for our customers, and paired with the ability to proactively monitor for changes in our customer's websites with JS Threats, RiskIQ is a critical piece of defense against external cyber threats.