sb-as logo
Story image

How to spot a fake security award like Ashley Madison’s

Nick FitzGerald, senior research fellow at ESET, says that as a rule, any useful website rating system, award or service will provide a link so users can check the veracity of that claim.

For example, FitzGerald says that the Avis rental car site has a well-known TRUSTe ‘Certified Privacy’ badge. Of course anyone could mirror this badge, and TRUSTe is aware of this loophole. So as a remedy, as well as providing their testing services and the logo artwork to sites it tests successfully, TRUSTe also provides a link-back test.

FitzGerald says that by clicking the link on the TRUSTe ‘Certified Privacy’ badge at the avis.com site, your browser is directed to a TRUSTe webpage with TRUSTe’s current rating of the site.

Link-bank checks are common practice when it comes to website security and privacy, in fact, FitzGerald says that the avis.com homepage sports another similar example.

The website has a link-back check to the Verisign SSL certificate confirmation site, allowing a visitor to the avis.com site to verify the certificate used.

With this in mind, FitzGerald believes that former Ashley Madison webpages sporting the fake “Trusted Security Award” should have raised suspicion.

“The fake “award” is no longer included on current Ashley Madison webpages, but looking up archived copies of earlier versions of the Ashley Madison homepage shows that this reputed award was represented on the page with just a simple “gold medal” image and the words “Trusted Security Award”, (or words meaning much the same in other languages in localised versions of the page),” explains FitzGerald.

“In yet older versions of Ashley Madison webpages, the words “Trusted Security Award” were actually part of the image itself,” he says.

FitzGerald adds that the first suspicious thing here is that this reputed award was not apparently issued by anyone in particular.

“The award is unnamed. It’s not the “Burminster Stevens Trusted Security Award” (something entirely fictitious that I just made up). It’s just the “Trusted Security Award”. Second, there is no link from the award to an independent site where you could check the veracity of the claimed award,” he says.

“Neither the “gold medal” logo, nor the accompanying words, were the anchor for a link to the supposed organisation that issued this reputed award to the Ashley Madison site.”

He says that had any Ashley Madison users ascertained that the website was using a fake “security award”, presumably in the hope of bolstering confidence in the sites’ security, they should have been even more concerned about potential security risks associated with using the site.

“Of course, learning this purely through the benefit of hindsight is not very helpful.”

Story image
Experiencing ransomware significantly impacts cybersecurity approach
"The survey findings illustrate clearly the impact of these near-impossible demands. Among other things, those hit by ransomware were found to have severely undermined confidence in their own cyber threat awareness."More
Story image
Creating private data regulations for employees
Whether employees are hired on a part-time or full-time basis, everyone must know about data privacy regulations. Everyone needs to be responsible for keeping the organisation’s data secure. More
Story image
IBM Security completes industry first with updates to Cloud Pak for Security solution
"With these updates, we will be the first in the industry to bring together external threat intelligence and threat management alongside data security and identity."More
Story image
Microsoft is most imitated brand for phishing attacks in Q3
Popular phishing tactics using the Microsoft brand used email campaigns to steal credentials of Microsoft accounts, luring victims to click on malicious links which redirect them to a fraudulent Microsoft login page. More
Story image
Entrust launches cloud-based ID issuance solution
The Sigma instant ID solution uses encryption, trusted HSM technology and secure boot to issue highly secure physical and mobile identities.More
Story image
Zoom to begin rolling out end-to-end encryption
Available starting from next week, it represents the first phase out of four of the company’s greater E2EE offering, which was announced in May following backlash that the company was lax on its security and privacy.More