Oh, the irony… Malware spread via Best of the Web security seals

Graham Cluley

Oh, the irony... Malware spread via Best of the Web trust seals

Oh, the irony... Malware spread via Best of the Web trust seals

Well, this is a little embarrassing.

You know those seals that some ecommerce websites display to reassure users that they can be trusted? Badges that tell you you can go ahead and enter your credit card details and personal information with confidence that you’re on a website you can rely upon?

This kind of thing…

Trust seals

Well, as Bleeping Computer reports, the script used by one such company to display its trust seal on customers’ websites got hacked.

Botw

The supply-chain security breach, discovered by researcher Willem de Groot, saw Best of the Web’s trust seal compromised by two different keystroke loggers.

Oh dear.

In other words, the very thing that websites were using to reassure you that they were secure… was insecure, and putting your personal data at risk.

Best of the Web confirmed on Twitter that its code had been compromised:

Earlier today, we were notified that the script we use to display trust seals that we host on Amazon’s content delivery network (CDN) was compromised. We took immediate action to remedy the situation and are in the process of informing those who were affected. We will be conducting a full security audit of our hosted accounts to ensure that this does not happen again.

Trust takes years to build, but only seconds to destroy.

By the way, if you’re considering whether your website needs one of these trust seals or not, here’s a comment from security expert Thomas Reed:

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

3 Replies to “Oh, the irony… Malware spread via Best of the Web security seals”

  1. Sure looks like they're trying to throw blame at Amazon (by mentioning the irrelevant hosting company), without any apology / ownership of blame.

  2. Agree with the other tweet. And I laughed out loud at the way you set up the article. Brilliantly done Graham.

    As for 'Trust takes years to build, but only seconds to destroy.' that's so true but there's irony there too. Many organisations seem to disregard this entirely. They even go on the defence when that actually portrays the offence – by shifting the blame or statistics (something that is so very easy to twist and manipulate because a scarily high percent of the human population don't know a bloody thing about statistics) or whatever else away from them and on to others. One of the two or three useful things I learnt in school (computers and otherwise .. when the other kids in the group were learning C++ – which makes me want to vomit compared to C – I was writing graphical and sound effects in assembly on the side) is when I was five and it was along the above lines – a good reputation is hard to keep but a bad reputation is hard to lose. Yet here too people seem to not care. What's more appalling is that people are satisfied with the manipulation and lies that these untrustworthy people with bad reputations (not even caring about their reputation: not their real reputation anyway) throw out. Politicians love these types of people who don't think for themselves. In other words politicians love most people. So do corporations. And many individual actors. Truly 'majority rules' here and in ways that aren't good. Which is probably why it is this way exactly.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.




Stay informed!

Join thousands of others by signing-up for the free “GCHQ” newsletter, containing the latest news and tips from security expert Graham Cluley.

Name:

Email:

Yes, I would like to subscribe to email updates from Graham Cluley. I know it’s easy to unsubscribe if I ever change my mind.