SECURITY EVANGELIST

Are you ready for Webpage Screenshot, the latest Trojan horse?

Our malware labs have detected a popular extension in Google Chrome – Webpage Screenshot – that systematically collects your browsing details in order to sell them to a third party.

In Denmark alone, the extension has been downloaded by 39.289 users (see the attached screenshot) and more than 1.2 million users worldwide. At the same time, we notice a really good rating – 4.5 points from a total of 5.

Webpage Screenshot

The main problem with this extension, or should we say spyware, is that it collects information on a user’s traffic details and sends it to a server located in the United States.

Peter Kruse, founder of CSIS Security Group, says:

To avoid any security check or detection mechanism from Google, Webpage Screenshot includes a sleep function, so that the spyware-like behavior will not be activated right away, but a week later.

Apparently, there is an important vulnerability in how code validation is done for each extension in Google Chrome, which makes us wonder how many extensions are still out there that hide spyware.

Our research revealed that this type of spyware has affected not just normal users, but even large companies in Sweden:

The browser receives instructions to constantly send away information about what websites have been visited to a server in United States… The owner of the Webpage screenshot confirmed that he has entered a code that sends the data on which sites users visit. The aim is to “produce statistics on surfing behavior” and sell it. He says that the information is valuable commercially and he says while it’s not the users’ individual visits that are interesting, but surfing behavior on different sites together.

 

Where is this extension coming from?

The extension homepage is located at this address webpagescreenshot[.]info, with the following registrant information:

Registrant Name:Danny Gembom
Registrant Organization:
Registrant Street: Rehovot POB 80
Registrant City:Rehovot
Registrant State/Province:
Registrant Postal Code:38819
Registrant Country:IL
Registrant Phone:+972.542290258

It also features an email address, which makes use of the domain bubbles.co.il. This domain gives us more detailed information:

person: Aminadav Glickshein
address: Nof Ayalon P.O.B 6
address: D.N. Shimshon
address: 99785
address: Israel
phone: +972 8 9790049
e-mail: AminadavG AT gmail.com

Although the website appears to be running, when you hit the Download option, which should direct you to Google Chrome, you can notice the extension has been removed.

 

How does Webpage Screenshot behave?

We will present shortly the main events that occur when this extension is installed:

  1. The user installs the extension from Google Chrome Web Store.
  2. A week later the spyware capabilities are activated, by downloading additional code from the web . This smart behavior allows the extension to evade any security check from Google, which cannot analyze the entire code and detect its spyware features.
  3. Once the extension has activated its private data collecting ability, the sensitive information that can be used to identity an individual is transmitted in the United States at the following IP address: 64.34.175.88 (Serverbeach, New York, USA).
  4. The analyzed IP address gives us a number of subdomains related to this service:

webpagescreenshot[.]info
c.webpagescreenshot[.]info
ch.webpagescreenshot[.]info
s1.webpagescreenshot[.]info
ww.webpagescreenshot[.]info
che.webpagescreenshot[.]info
ftp.webpagescreenshot[.]info
www.webpagescreenshot[.]info
cheg.webpagescreenshot[.]info
youtube.cwww.webpagescreenshot[.]info
ywww.webpagescreenshot[.]info
youtube.cowww.webpagescreenshot[.]info
yowww.webpagescreenshot[.]info
youtube.comwww.webpagescreenshot[.]info
youwww.webpagescreenshot[.]info
youtwww.webpagescreenshot[.]info
youtuwww.webpagescreenshot[.]info
youtubwww.webpagescreenshot[.]info

Our malware specialists have already blocked these IP addresses in order to protect our users.

 

Conclusion

Cybercriminals’ ability and imagination seem to have no limits when it comes to retrieving sensitive data and financial information.

And web browser extensions are nevertheless pieces of code, which means they have the ability to deliver malicious payloads or can prove to be “Trojan horses”, that hide spyware functions and steal personal details from users.

Though Google Chrome has moved fast and removed the extension from its web store, it is obvious that security mechanisms should be improved fast, especially when we see this extension has reached over one million users.

If you have already installed this Google Chrome extension, make sure you remove it as soon as possible. Stay Safe!

This post was originally published by Aurelian Neagu in April 2015.

data leakage
2016.09.08 INTERMEDIATE READ

All About (Concealed) Data Leakage for Users Like You and Me

Protect Your PC with Multiple Layers
2016.06.21 INTERMEDIATE READ

How to Protect Your PC with Multiple Layers of Security

Alarming Cyber Security Facts
2016.05.12 SLOW READ

10 Alarming Cyber Security Facts that Threaten Your Data [Updated]

Comments

how to check chrome extension security???

Hervé Compagnion on January 11, 2016 at 8:11 am

After uninstalling this Webpage Screenshot extension, Chrome keeps notifying me (after every restart) that this extension has been removed automatically… although I obviously don’t reinstall it every time. Chrome seems to keep track of something left over. Is there any way to clean this mess up?

I have the same issue. Go to your extensions directory ( OSX in your Library/Applications Support/Google/Default/Extensions) and delete the directory ckibcdccnfeookdmbahgiakhnjcddpki.

As long as they disclose that they are collecting this anonymous browsing behavior, which they were, what’s the problem? Seems like a fair exchange for a well designed free app.

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP