Well, this is a little embarrassing.
You know those seals that some ecommerce websites display to reassure users that they can be trusted? Badges that tell you you can go ahead and enter your credit card details and personal information with confidence that you’re on a website you can rely upon?
This kind of thing…
Well, as Bleeping Computer reports, the script used by one such company to display its trust seal on customers’ websites got hacked.
The supply-chain security breach, discovered by researcher Willem de Groot, saw Best of the Web’s trust seal compromised by two different keystroke loggers.
In other words, the very thing that websites were using to reassure you that they were secure… was insecure, and putting your personal data at risk.
Best of the Web confirmed on Twitter that its code had been compromised:
Earlier today, we were notified that the script we use to display trust seals that we host on Amazon’s content delivery network (CDN) was compromised. We took immediate action to remedy the situation and are in the process of informing those who were affected. We will be conducting a full security audit of our hosted accounts to ensure that this does not happen again.
Trust takes years to build, but only seconds to destroy.
By the way, if you’re considering whether your website needs one of these trust seals or not, here’s a comment from security expert Thomas Reed:
Those seals mean nothing anyway. I’ve seen them on many adware or PUP sites. An image is a terrible way to indicate safety, since it can simply be copied and reused without permission on an unsafe site. I wish they would all simply go away, and quit giving people false security.
— Thomas Reed (@thomasareed) May 16, 2019
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
3 comments on “Oh, the irony… Malware spread via Best of the Web security seals”
Sure looks like they're trying to throw blame at Amazon (by mentioning the irrelevant hosting company), without any apology / ownership of blame.
Those icons screams legacy unmaintained websites.
Agree with the other tweet. And I laughed out loud at the way you set up the article. Brilliantly done Graham.
As for 'Trust takes years to build, but only seconds to destroy.' that's so true but there's irony there too. Many organisations seem to disregard this entirely. They even go on the defence when that actually portrays the offence – by shifting the blame or statistics (something that is so very easy to twist and manipulate because a scarily high percent of the human population don't know a bloody thing about statistics) or whatever else away from them and on to others. One of the two or three useful things I learnt in school (computers and otherwise .. when the other kids in the group were learning C++ – which makes me want to vomit compared to C – I was writing graphical and sound effects in assembly on the side) is when I was five and it was along the above lines – a good reputation is hard to keep but a bad reputation is hard to lose. Yet here too people seem to not care. What's more appalling is that people are satisfied with the manipulation and lies that these untrustworthy people with bad reputations (not even caring about their reputation: not their real reputation anyway) throw out. Politicians love these types of people who don't think for themselves. In other words politicians love most people. So do corporations. And many individual actors. Truly 'majority rules' here and in ways that aren't good. Which is probably why it is this way exactly.