In 1995, Netscape, with its classic NPAPI technology, became the first browser to support extensions. Internet Explorer, Firefox, Chrome, and Opera did the same a few years later, between 1999 and 2009.
Browser extensions can be really useful for integrating non-native web browser functions, from blocking ads to getting SEO details of any websites to helping people manage their online passwords.
Since its adoption, however, attackers have used this technology to target popular browser extensions. Their aim is simple: redirect traffic, and get personal details about you or your finances.
In recent weeks, security researcher Paul Buonopane has detected unusual activity from a few web browser extensions.
This new malicious browser campaign is called lnkr, and its creators are using it to actively inject scripts into web pages via cloned/malicious browser extensions.
Recent malicious browser extensions
This campaign targets legitimate and semi-legitimate browser extensions, by cloning them, injecting them with malicious code, then distributing them across the Google Chrome Store.
The goal is to inject scripts into web pages currently browsed by the users, to redirect them to several websites such as lnkr.us and lnkr.fr that seem to be part of this malware campaign, as they appear to be fully controlled by the attackers.
Brocode, a shell company registered in Hong Kong, seems to be the company behind the code, although the attackers have left a few footprints that lead us to suspect Eastern European, likely Ukrainian or Russian, culprits may be involved, without any direct relationship to government confirmed.
Technical details behind lnkr
As we've stated, attackers began cloning legitimate Chrome extensions and injecting them with malicious scripts to redirect victims visiting seemingly harmless websites, or to cause ad injections.
Additionally, these malicious extensions have the potential to send sensitive data to command-and-control (C2) servers. These types of servers are often used by attackers to keep a channel open with the compromised systems.
Some of the C2 communications masquerade and are promoted as analytics opt-out requests, explaining to the users that the ads are used to support the development of these extensions. This isn't true: the advertising revenue doesn't go to the real extension developers at all.
Analyzing a cloned Flash Player extension
The extension analyzed was Flash Player + 1.2.0, had ID fanagokoaogopceablgmpndejhedkjjb, and was a modified version of the original one (likely an unauthorized clone of an extension of the same name, ID fnipglnbhfacfmefbgiiodalehbcgcbm). The clone was removed from the Google Web Store, while the original remains.
Affected extensions act really fast, and affect a large number of English-speaking Chrome users. As clones of legitimate ones, they get installed in thousands of browsers used by English-speaking Chrome users.
Analyzing more extensions becomes difficult as they seem to be removed quickly from the Chrome Store before they can be properly investigated. It could be the attackers who are removing them in a deliberate effort to avoid detection, or perhaps the Google Security team — researchers are unable to confirm this at this point.
Blocking the attack isn't easy either, as the attackers are using generic S3 bucket names, along with rotating C2 domain names and IP addresses spread across multiple hosting providers.
If you're interested in taking a look at the full technical attack analysis, you can review it here.
Server IPs and domain names involved
The IPs involved in this campaign were ranges from known cheap VPS/Cloud providers, such as WorldStream, Servers.com, and Hetzner:
The total amount of domain names involved discovered was around 175, and included names such as:
The SecurityTrails team started digging around a few domain names, including the main ones lnkr.us and lnkr.fr. Here's what we've found so far: Securitytrails.com/domain/lnkr.us/dns
Their main server seems to be powered by Hetzner, a popular German web hosting provider. For email management, they seem to be working with Yandex, another platform popular with eastern European citizens.
The email used to register this domain name is also related to other Ads and Chrome-based domains, such as:
While exploring the associated domains hosted on the same IP address as the main domain, we detected a lot of the same domains Buonopane noted previously in his investigation, as you see below:
On the other hand, while analyzing lnkr.fr we found it doesn't have any MX records. It seems to be responding to three different A records, all of them hosted at Hetzner as well and using multiple NS such as ns-usa.topdns.com, ns-uk.topdns.com, and ns-canada.topdns.com.
On those IPs, we found almost the same amount of websites and around 58–60 different domain names detected in the redirection caused by the malicious browser extensions.
The man behind the lnkr.us domain name
Using our domain and IP intelligence platform SurfaceBrowser™, we were able to fetch the relevant WHOIS information—and it seems to belong to a guy named Sergei Filov, from Ukraine.
While the domain owner information is never validated on any domain registrar (in other words, it could be fake) this was the only thing we found as the other domain (lnkr.fr) is using a WHOIS privacy service.
This name seems to be the same behind the linkrlab.com domain name as well.
Is there any way to safeguard against these types of malicious browser extensions?
Less is more
The best thing you can do to avoid getting exposed to malicious extensions is to reduce the number of extensions you use. Use only what you need, and remember that in the web browser world, less is more. The fewer extensions you have, the faster and safer your browser will be.
Before installing new extensions, try to find out whether other desktop apps or terminal commands can do it already. Also, a lot of the most popular browser extensions built by 3rd-party developers will sooner or later be integrated into the browser default features, so ask yourself if you can wait a couple of months.
Remove inactive extensions
Following the same 'less is more' principle, we also advise you to remove all unused/inactive browser extensions. Every extension you no longer use becomes a potential future security risk, so keep that in mind when you install any new extensions.
Having a monthly cleanup routine should be a critical part of your local PC security audit. You don't require a lot of technical knowledge to do this. Almost all browser extensions can be easily removed.
I guess I've installed a malicious browser extension. How can I remove it?
The only good thing about malicious lnkr extensions is the fact that they're installed manually — they don't trick users with 3rd-party software locks. All extensions look like legitimates ones, and therefore, users are the ones who decide to install them. That's why you can remove extensions normally, from your Chrome Web Store.
If you've identified a malicious extension, follow these instructions to remove it:
- Click on the three dots at the top right corner of your Chrome browser
- Then click on the 'More Tools' option
- Select the 'Extensions' option
- Locate the extension you want to remove
Nowadays it's almost impossible to be 100% safe when installing browser extensions because even the ones that appear legitimate, and are installed from trusted sources such as the Chrome Web Store, can be temporarily infected with malicious code.
The best advice is to avoid using browser extensions completely or to wait for the feature to be integrated with the next browser release as a native option.
Browser extensions with large open source communities tend to be well-vetted and reliable, as are commercial extensions by big companies (e.g., most big password managers and productivity tools). Entertainment-related extensions, on the other hand, are more likely to be problematic—anything related to downloading or playing media, in particular. Try to avoid anything mentioning "Flash" or "downloading."
Fortunately, you do have tools to investigate these kinds of issues when it comes to tracking the digital footprints of any malicious domain, IP, servers and DNS servers.