Ever heard of two scripts called lnkr5.min.js and lnkr30_nt.min.js? I hadn’t either, until I had a client whose website kept getting hacked.
It took a while to figure out what was happening, but eventually we found that every time one particular person made an edit to their their site, that page became “hacked” and would run some malicious scripts.
The two malicious scripts were:
The 3 domains that were serving the scripts were these:
First there was a validation script, then another domain would run a second script, so the final code looked like this:
Upon execution, no visible links were taking place. The script simply added what appeared to be whitespace at the bottom of the post, so I suspect that the links were just white text on a white background, that they hoped nobody would notice.
The user ran both Microsoft Defender and Malware Bytes, but neither one made the problem go away.
I started researching the two scripts online, and found a number of people talking about various extensions and add-ons that people claimed were causing the same thing to happen to them. There were people mentioning Chome extensions, Firefox add-ons, WordPress plugins, and even Shopify issues.
Their Problem Was Coming From a Chrome Extension
I connected remotely with the client, and went through their browser extensions, and found none of the ones above, but did find one that the user had installed some time ago called the Roomstyler 3D Planner. emoving this add-on fixed the problem, and I reported it on this link in the lower right here at the Chrome Store
If I had to guess, I’d say that what happened was the author of the extension accepted an offer to sell, then the spammer that bought it just edited and replaced the plugin in the Chrome store. That’s just a guess though, and for all I know it’s functioning as intended by the author.