Hackers compromised the script used by Best of the Web to display their trust seal on their customers' websites and to add two key logging scripts designed to sniff keystrokes from visitors.

As Sanguine Security researcher Willem de Groot found out, "The security seal as sold by @bestoftheweb contains even 2 different keystroke loggers. One was added on Apr 24th, the other last week."

After de Groot disclosed his discovery to Best of the Web, the company confirmed that their trust seal script which was hosted on Amazon’s content delivery network (CDN) was indeed hacked.

In addition, the company stated that it took immediate action to fix the issue and all customers impacted by the compromised script were being contacted.

As Best of the Web Trust Seal Team said in an email to BleepingComputer:‏

Earlier today, we were notified that the script we use to display trust seals that we host on Amazon’s content delivery network (CDN) was compromised. We took immediate action to remedy the situation and are in the process of informing those who were affected. We will be conducting a full security audit of our hosted accounts to ensure that this does not happen again.

The keystroke logging scripts found by the researcher were encoded but de Groot managed to decode them, with the decoded versions of the JavaScript-based keyloggers being available on GitHub Gist and the obfuscated versions HERE.

A list of some of the websites where the compromised trust seal script is present can be found via a PublicWWW scan, with over 100 of them still linking to compromised versions of the script.

Best of the Web trust seal

Cybercriminals have targeted multiple targets since the start of 2019 as part of supply chain attacks, with hundreds of websites being impacted after hackers managed to compromise an advertising script from French online advertiser Adverline they later used to inject a MageCart payment info skimmer into hundreds of sites in January.

During March, multiple gaming companies were infiltrated after a series of successful supply-chain attacks which made it possible for the attackers to inject a malicious payload designed to provide them with a backdoor.

Asus' Live Update utility was also compromised during March by an advanced persistent threat (APT) group, with the hackers successfully injecting a backdoor after infiltrating some of the company's servers.

Last but not least, in May, a JavaScript-based payment card skimming script was injected in the checkout pages of hundreds of online campus stores powered by the PrismWeb e-commerce platform.