Oh, the irony… Malware spread via Best of the Web security seals

Oh, the irony... Malware spread via Best of the Web trust seals

Well, this is a little embarrassing.

You know those seals that some ecommerce websites display to reassure users that they can be trusted? Badges that tell you you can go ahead and enter your credit card details and personal information with confidence that you’re on a website you can rely upon?

This kind of thing…

Sign up to our free newsletter.
Security news, advice, and tips.

Trust seals

Well, as Bleeping Computer reports, the script used by one such company to display its trust seal on customers’ websites got hacked.

Botw

The supply-chain security breach, discovered by researcher Willem de Groot, saw Best of the Web’s trust seal compromised by two different keystroke loggers.

Oh dear.

In other words, the very thing that websites were using to reassure you that they were secure… was insecure, and putting your personal data at risk.

Best of the Web confirmed on Twitter that its code had been compromised:

Earlier today, we were notified that the script we use to display trust seals that we host on Amazon’s content delivery network (CDN) was compromised. We took immediate action to remedy the situation and are in the process of informing those who were affected. We will be conducting a full security audit of our hosted accounts to ensure that this does not happen again.

Trust takes years to build, but only seconds to destroy.

By the way, if you’re considering whether your website needs one of these trust seals or not, here’s a comment from security expert Thomas Reed:


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “Oh, the irony… Malware spread via Best of the Web security seals”

  1. Jake

    Sure looks like they're trying to throw blame at Amazon (by mentioning the irrelevant hosting company), without any apology / ownership of blame.

  2. François

    Those icons screams legacy unmaintained websites.

  3. coyote

    Agree with the other tweet. And I laughed out loud at the way you set up the article. Brilliantly done Graham.

    As for 'Trust takes years to build, but only seconds to destroy.' that's so true but there's irony there too. Many organisations seem to disregard this entirely. They even go on the defence when that actually portrays the offence – by shifting the blame or statistics (something that is so very easy to twist and manipulate because a scarily high percent of the human population don't know a bloody thing about statistics) or whatever else away from them and on to others. One of the two or three useful things I learnt in school (computers and otherwise .. when the other kids in the group were learning C++ – which makes me want to vomit compared to C – I was writing graphical and sound effects in assembly on the side) is when I was five and it was along the above lines – a good reputation is hard to keep but a bad reputation is hard to lose. Yet here too people seem to not care. What's more appalling is that people are satisfied with the manipulation and lies that these untrustworthy people with bad reputations (not even caring about their reputation: not their real reputation anyway) throw out. Politicians love these types of people who don't think for themselves. In other words politicians love most people. So do corporations. And many individual actors. Truly 'majority rules' here and in ways that aren't good. Which is probably why it is this way exactly.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.