Security Alert: Webpage Screenshot Leaks Private Data For 1.2 Million Users
Be careful about the extensions you download in your browser.
Are you ready for Webpage Screenshot, the latest Trojan horse?
Our malware labs have detected a popular extension in Google Chrome – Webpage Screenshot – that systematically collects your browsing details in order to sell them to a third party.
In Denmark alone, the extension has been downloaded by 39.289 users (see the attached screenshot) and more than 1.2 million users worldwide. At the same time, we notice a really good rating – 4.5 points from a total of 5.
The main problem with this extension, or should we say spyware, is that it collects information on a user’s traffic details and sends it to a server located in the United States.
Peter Kruse, founder of CSIS Security Group, says:
To avoid any security check or detection mechanism from Google, Webpage Screenshot includes a sleep function, so that the spyware-like behavior will not be activated right away, but a week later.
Apparently, there is an important vulnerability in how code validation is done for each extension in Google Chrome, which makes us wonder how many extensions are still out there that hide spyware.
Our research revealed that this type of spyware has affected not just normal users, but even large companies in Sweden:
The browser receives instructions to constantly send away information about what websites have been visited to a server in United States… The owner of the Webpage screenshot confirmed that he has entered a code that sends the data on which sites users visit. The aim is to “produce statistics on surfing behavior” and sell it. He says that the information is valuable commercially and he says while it’s not the users’ individual visits that are interesting, but surfing behavior on different sites together.
Where is this extension coming from?
The extension homepage is located at this address webpagescreenshot[.]info, with the following registrant information:
Registrant Name:Danny Gembom
Registrant Street: Rehovot POB 80
Registrant Postal Code:38819
It also features an email address, which makes use of the domain bubbles.co.il. This domain gives us more detailed information:
person: Aminadav Glickshein
address: Nof Ayalon P.O.B 6
address: D.N. Shimshon
phone: +972 8 9790049
e-mail: AminadavG AT gmail.com
Although the website appears to be running, when you hit the Download option, which should direct you to Google Chrome, you can notice the extension has been removed.
How does Webpage Screenshot behave?
We will present shortly the main events that occur when this extension is installed:
- The user installs the extension from Google Chrome Web Store.
- A week later the spyware capabilities are activated, by downloading additional code from the web . This smart behavior allows the extension to evade any security check from Google, which cannot analyze the entire code and detect its spyware features.
- Once the extension has activated its private data collecting ability, the sensitive information that can be used to identity an individual is transmitted in the United States at the following IP address: 220.127.116.11 (Serverbeach, New York, USA).
- The analyzed IP address gives us a number of subdomains related to this service:
Our malware specialists have already blocked these IP addresses in order to protect our users.
Cybercriminals’ ability and imagination seem to have no limits when it comes to retrieving sensitive data and financial information.
And web browser extensions are nevertheless pieces of code, which means they have the ability to deliver malicious payloads or can prove to be “Trojan horses”, that hide spyware functions and steal personal details from users.
Though Google Chrome has moved fast and removed the extension from its web store, it is obvious that security mechanisms should be improved fast, especially when we see this extension has reached over one million users.
If you have already installed this Google Chrome extension, make sure you remove it as soon as possible. Stay Safe!
This post was originally published by Aurelian Neagu in April 2015.