Cyber Incident Victim: Best of the Web
Date:
Apr 2019
Location:
United States of America
Summary
Hackers compromised a trust seal script hosted on a content delivery network, injecting two keyloggers designed to capture visitor keystrokes. The breach was discovered by a security researcher who alerted the affected company, prompting immediate remediation efforts and customer notifications. Over 100 websites remained impacted by the compromised script, which had been altered to include obfuscated malicious code. The incident occurred amid a broader trend of supply-chain attacks targeting third-party services to distribute malware across multiple victim sites.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around April 24, 2019, attackers compromised a trust seal script hosted on Amazon’s content delivery network (CDN) and distributed by Best of the Web to its customers. The script, designed to display a security trust seal on client websites, was altered to include two separate JavaScript-based keylogging components. One keylogger was injected on April 24, with a second added shortly before discovery in May 2019. These malicious scripts captured keystroke data from visitors interacting with websites displaying the compromised trust seal. Security researcher Willem de Groot identified the compromise and disclosed his findings to Best of the Web, noting both keyloggers were present in the script. The obfuscated malicious code was subsequently decoded by de Groot, with both original and decoded versions made publicly available via GitHub Gist for analysis. PublicWWW scans confirmed over 100 websites continued to link to the compromised script versions after the breach was disclosed, indicating widespread potential exposure.
Best of the Web confirmed the compromise following de Groot’s notification and initiated immediate remediation efforts. The company removed the malicious code from its hosted script and began notifying affected customers. In a statement to BleepingComputer, Best of the Web’s Trust Seal Team acknowledged the breach of their Amazon CDN-hosted script and committed to conducting a full security audit of hosted accounts to prevent recurrence. The incident exposed visitors to websites using the trust seal to covert keystroke monitoring, though the specific data exfiltrated or attacker objectives were not detailed in available disclosures. The supply chain attack vector mirrored broader 2019 trends targeting third-party scripts, including compromised advertising networks and e-commerce platforms, though Best of the Web’s incident remained distinct in its use of dual keyloggers. No additional technical specifics regarding attacker entry points, infrastructure, or data collection endpoints were publicly confirmed by the involved parties.