malware specialists have already blocked these IP addresses in order to protect our users.Ĭybercriminals’ ability and imagination seem to have no limits when it comes to retrieving sensitive data and financial information.Īnd web browser extensions are nevertheless pieces of code, which means they have the ability to deliver malicious payloads or can prove to be “Trojan horses”, that hide spyware functions and steal personal details from users.
CHROMESPOT 2014 AWESOME SCREENSHOT MALWARE CODE
A week later the spyware capabilities are activated, by downloading additional code from the web . This smart behavior allows the extension to evade any security check from Google, which cannot analyze the entire code and detect its spyware features.
The user installs the extension from Google Chrome Web Store.We will present shortly the main events that occur when this extension is installed:
CHROMESPOT 2014 AWESOME SCREENSHOT MALWARE DOWNLOAD
This domain gives us more detailed information:Īlthough the website appears to be running, when you hit the Download option, which should direct you to Google Chrome, you can notice the extension has been removed. It also features an email address, which makes use of the domain .il. The extension homepage is located at this address webpagescreenshotinfo, with the following registrant information: He says that the information is valuable commercially and he says while it’s not the users’ individual visits that are interesting, but surfing behavior on different sites together. The aim is to “produce statistics on surfing behavior” and sell it. The browser receives instructions to constantly send away information about what websites have been visited to a server in United States… The owner of the Webpage screenshot confirmed that he has entered a code that sends the data on which sites users visit. Our research revealed that this type of spyware has affected not just normal users, but even large companies in Sweden: To avoid any security check or detection mechanism from Google, Webpage Screenshot includes a sleep function, so that the spyware-like behavior will not be activated right away, but a week later.Īpparently, there is an important vulnerability in how code validation is done for each extension in Google Chrome, which makes us wonder how many extensions are still out there that hide spyware. Peter Kruse, founder of CSIS Security Group, says: The main problem with this extension, or should we say spyware, is that it collects information on a user’s traffic details and sends it to a server located in the United States. At the same time, we notice a really good rating – 4.5 points from a total of 5. In Denmark alone, the extension has been downloaded by 39.289 users (see the attached screenshot) and more than 1.2 million users worldwide. Our malware labs have detected a popular extension in Google Chrome – Webpage Screenshot – that systematically collects your browsing details in order to sell them to a third party.
Are you ready for Webpage Screenshot, the latest Trojan horse?
0 kommentar(er)
