Hackers compromised the script used by Best of the Web to display their trust seal on their customers' websites and to add two key logging scripts designed to sniff keystrokes from visitors.
As Sanguine Security researcher Willem de Groot
found out, "The security seal as sold by @bestoftheweb contains even 2 different keystroke loggers. One was added on Apr 24th, the other last week."
After de Groot disclosed his discovery to Best of the Web, the company confirmed that their trust seal script which was hosted on Amazon’s content delivery network (CDN) was indeed hacked.
In addition, the company stated that it took immediate action to fix the issue and all customers impacted by the compromised script were being contacted.
As Best of the Web Trust Seal Team said in an email to BleepingComputer:
... ...