The website Best of the Web, whose purpose is to assure site visitors that their user data is safe and that the websites it lists value visitor privacy, has been hacked, according to security researcher Willem de Groot. The site is a directory of websites that receive a trust seal so visitors will know they are real businesses, but the site itself was injected with an information stealing malware.
On May 13, the researcher tweeted that the Best of the Web seal was injected with two keyloggers and that more than 100 websites were still linked to the compromised seal.
Attackers reportedly injected obfuscated JavaScript code, and according to his latest tweet, DeGroot confirmed that the attackers used open S3 buckets to inject form jackers. DeGroot has identified several supply chain attacks that have impacted multiple companies (complete list at PublicWWW), including Picreel, historydaily.org, groupon.com.ar, groupon.cl, trome.pe and tributes.com.
Best of the Web confirmed that it had been compromised, stating, "Earlier today, we were notified that the script we use to display trust seals that we host on Amazon’s content delivery network (CDN) was compromised. We took immediate action to remedy the situation and are in the process of informing those who were affected. We will be conducting a full security audit of our hosted accounts to ensure that this does not happen again.”
“In this latest supply chain attack, hackers went after the weakest link with the most impact to affect the greatest number of websites,” said Matan Or-El, CEO of Panorays. “It’s certainly ironic to hack a trust seal, and the message is clear: you cannot trust anything. This cyber incident underscores the importance of assessing the security of all third parties and continuously monitoring them, since their status can quickly change, as was the case here where the code was maliciously modified.”