“We monitor our customers' networks for signs of hacking. A few weeks ago, we found a strange pattern in the traffic of several companies. After talking with them, we found this plug-in which was installed on the computers that was behaving strangely,” he said.Mariolini went on to explain that the extension contains hidden code that saves information about users’ browsing history and sends it to a server based in the United States. However, the IP address of the server is registered to a private individual who lives in Israel. The Webpage Screenshot extension stores a variety of potentially sensitive information. This includes IP addresses, data from URLs visited and pages viewed, profile properties, and usage details. Heimdal Security, a security firm launched in 2011 by the CSIS Security Group, has also detected the spyware and analyzed how the hidden code operates. According to blog post published on Heimdal’s website, the hidden code does not activate until one week after Webpage Screenshot is downloaded from the Google Chrome Web Store, which allows the extension to evade Google’s security checks. It is at this time that the extension begins collecting user information and sending it to IP address 22.214.171.124, which is located in Serverbeach, New York, USA. News of the spyware capabilities of Webpage Screenshot follows Google’s announcement to more thoroughly monitor ad-injecting applications that are often found in Chrome extensions. Towards this end, Google researchers removed 200 extensions from the Google Chrome Web Store after discovering they were serving up malware to users. As of this writing, the Webpage Screenshot has been removed from Google’s store.