Fake trust seals, with bad puns


Symantec has highlighted in a blog post a website masquerading as an official one by using fake trust seals. Where have we seen this before?

I seal what you did there

I don't remember exactly when it started, but in the Web 1.0 days I started noticing email from certain friends of mine contained something akin to this in their footers. The footers of the email, not the friends.

This email was scanned by Ultra Duper AntiVirus and was found clean.

Now that I think about it, I think it was Hotmail that started doing this first, particularly if you had attachments. I could be wrong though (it wouldn't be the first time) so don't quote me on that.

Needless to say, while these glowingly reassuring messages looked good in email and surely Julian Assuaged the fears of many a light internet user, those of us who'd been around the bush a few times were less that convinced. Without a cryptographic signature or any other uniquely identifying mark anywhere in this footer message, we had absolutely no idea whether the assurance from Ultra Duper AntiVirus was authentic or not. In other words, there was no way of telling whether the footer message really did come from an anti-virus product, or whether the plain text had just been appended.

Why is this important? Well say I were a virus writer (cough) and I wanted to infect as many machines as I could. There are far more efficient methods than email thesedays, but for the sake of the argument I decided to attach my payload or include a malicious link to a well crafted email containing "New season of Kaleido Star!" as a signature. What better thing to do that insert a fake anti-virus assurance message? Sure it wouldn't convince Hillary Clinton's techno-experts, but as long as it convinced just a few then we'd get our payment.

Being kissed by a rose sounds painful

Icon from the KDE Oxygen iconsetSo now we come to the idea of site trust seals. Site trust seals were originally simply images embedded onto web pages that assured their visitors that their site had been scanned by an anti-virus product, vetted by a security firm, or they'd paid their mafia protection racket and as such you were guaranteed to be left alone. Problem is, as with those silly anti-virus footer messages, there was no way of knowing if the images were legitimate or not, which defeated their whole purpose of trust!

At some point (affording myself of my highly accurate timeline information here once more), security companies finally cottoned onto this, and began employing seals that linked to unique IDs on a third party site. By doing this, the image could be demonstrably verified by a third party which is tougher to spoof unless you can compromise said third party. In this day and age, I honestly wouldn't put it past some people.

The problem site Symantec highlighted in their blog employed a rather crude workaround. Instead of breaking the site trust seal chain of trust itself, the malicious site simply included this in the site trust seal's link:

http://www.[software security company].com.[fake domain].com

I suppose while it wouldn't have worked on all people, it still honls true to the "fooling just enough people to make money" rule.

These terrible seal puns doing anything for you?

Though not as much as email footers claiming they're super duper dandy just fine safe secure and fabulous, I'm skeptical of site trust seals as well, and for this reason. Just as most people ignore site certificates let alone go through the process of verifying them, the few people who would be reassured at the sight of a site trust seal are probably also not the kind of people who would click on them and study their destinations closely before proceeding.

As for seals themselves, I think they're adorable creatures :).

Author bio and support


Ruben Schade is a technical writer and infrastructure architect in Sydney, Australia who refers to himself in the third person. Hi!

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite bespoke cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or send a comment. Thanks ☺️.