When browser extensions attack: Meet LNKR, an ad ecosystem nightmare

When browser extensions attack: Meet LNKR, an ad ecosystem nightmare
featured image

Product Marketing Lead Gavin Dunaway explains how malicious browser extensions harm users and strip publishers of revenue while fomenting chaos up and down the advertising supply chain.

My toddler and I share a love for the misadventures of Shaun the Sheep. In particular, we love the episode where sheepdog Bitzer is cleaning the farmhouse window. But the Farmer keeps pointing out specks that Bitzer, try as he might, cannot see.

After countless elaborate attempts to clean the windows, Bitzer notices a chunk of dirt on the Farmer’s coke-bottle glasses. The windows were spotless. The Farmer’s smudgy glasses caused him to see phantom blemishes and incite a great deal of (highly entertaining) chaos on the farm.

Recently, this episode came to mind when talking to a DSP about why a slew of their ads were being blocked on various publishers sites (by a different ad quality provider). The DSP shared the report with us. As we examined the wide variety of blocked ads, we confirmed they were clean. There was no cloaking or malicious code, no compromised landing pages. They were basically spotless. After some analysis, it clicked: We were witnessing fallout from LNKR.

LNKR is the smudgy glasses problem transported to digital media. However, it is far more devious and likely to wreak havoc throughout the digital advertising ecosystem.

The trouble with browser extensions

At heart, LNKR is the browser extension heir to the malicious toolbar, a classic form of adware. Browser toolbars tended to create extra ad slots on publisher pages to serve ads. (These sometimes came with even more noxious malware.) However, LNKR simply injects malicious code right into one or more existing ad placements—on top of publisher-served ads. Most often, the malignant code prompts an auto-redirect with a fake software upgrade or antivirus tool download. (Surprise—it’s really more malware!).

Consumers knowingly (perhaps looking for some unique feature like “change text into pirate speak,” ya landlubber), or unknowingly, install a browser extension with LNKR code. Once that’s done, the LNKR operators can deliver redirect code into any ad slot at any time when the infected browser visits any website. If the malicious code is injected and the redirect is served, the consumer comes under attack.

Reputation and revenue

To compound the problem, they they’ll think that the publisher they just visited served them malvertising. The publisher’s brand is damaged even though it had nothing to do with the attack. (That character defamation also gets passed upstream to the SSPs and DSPs serving ads to the user.)

A publisher’s bad-ad blocker may shut down legitimate ads because users with the LNKR-infected extension have unwanted code injected on top of them. That could rob publishers of revenue. That’s because every single ad campaign served to the infected user will be mistaken for malware and slapped away.

If not corrected at the user level, or discounted from malvertising reporting, most eligible creative sent to an infected user will eventually be blocked. Thus, the scenario in the be bad ads ad infinitum. SSPs will scream at DSPs for pushing malware through the pipes when the accused advertising creative and supply chain is legit. This can further come back to bite the publisher if SSPs pause or cut off relationships with lucrative DSPs.

The publisher and its demand partners end up becoming patsies for LNKR’s bad deeds, because with these malicious extensions… The malware is coming from inside the browser!

A greater danger

Of course, this confusion damages relationships between AdTech platforms. (And let’s face it, they already have serious trust issues). But beyond that, it muddies the waters for malware hunters. More and more innocuous ads are falsely labeled malvertising. This distracts ad quality providers from the job of tracking down the real bad apples—which are always employing clever new evasive measures to avoid detection.

LNKR also represents more of a danger to consumers beyond a malware delivery channel. The browsing of infected users can be tracked and LNKR can also grab search parameters when a user employs any kind of search engine. LNKR has already exhibited the ability for advanced microtargeting. It can infect actual web pages where a user has write access, enabling it to spread to additional users.

Worse, information from infected browsers—as well as access to them—is sold on the dark web to malevolent actors with more malignant schemes. Indeed, LNKR is a key player in the ransomware ecosystem. It’s an ideal tool for extracting personal data that can be exploited for great harm.

Consumer awareness is critical

LNKR incidents Jan. 2021-July 2021

Distinct LNKR incidents, with each one accounting for thousands of individual hits, have been on the rise since the beginning of 2021.

LNKR is an effective malvertising tactic. The number of incidents (which can account for thousands of individual hits) detected by The Media Trust has been swelling since the beginning of 2021. Nipping this ever-growing threat in the bud relies on something that’s long been difficult for the digital advertising industry: consumer education.

Browser extensions are sticky. And consumers often forget what they’ve actually installed. Unused extensions can easily pile up and extension apathy is exactly what the bad actors behind LNKR prey on. That’s where the smudgy glasses issue hits full stride: infected consumers keep getting hit with redirects. They also have no idea that a browser extension causes the issue, let alone which specific extension.

Alongside software updates, operators of the main browsers often prompt users to check their extensions to make sure they’re only housing ones they want. In addition, users need to keep their approved extensions updates—not always a simple task. But older versions of extensions can have unseen vulnerabilities and be compromised.

The rest of the industry needs to spread the truth wherever possible. We must explain that LNKR is a bigger threat than just some annoying redirects. Extension hygiene may not be sexy, but it’s key for an overall good experience on the web and helping you stay clear from malware and unwanted data tracking.

Cleaning up the LNKR smudge

Publishers, though, need to demand more from their bad-ad-blocking services. Ad quality providers must be able to identify LNKR and confirm blocks are not false positives, discount LNKR from bad-ad counts. In addition, the creative blocker needs to ensure it’s stopping the delivery of adware that will further spread the LNKR menace. That’s right: They must block pop-ups, scams, and ads distributing unwanted programs.

Finally, being able to recognize LNKR and alert publishers’ upstream partners ensures less legit creative gets caught in the crossfire. Discounting LNKR in malware reports will limit ire between AdTech partners that could eventually impact publisher revenue.

In real life, a little microfiber cloth makes quick work of a blemish on your glasses. Unfortunately, wiping browsers of the LNKR smudge is going to be a complex, industry-wide struggle. The first step, however, is widespread acknowledgement of the danger at hand.