- Security researchers found a malicious script on ESA’s web shop
- The script creates a fake Stripe page at checkout, grabbing payment data
- The shop is currently unavailable
The website of the European Space Agency (ESA) was recently compromised with a credit card skimmer, putting countless people at risk of wire fraud.
Researchers from Sansec spotted a malicious script on ESA’s web shop, and determined it creates a fake Stripe payment page at checkout, where it collects customer information.
Payment data, including sensitive credit card information, was also being gathered, making this attack particularly dangerous.
Out of ESA’s hands?
The sensitive data was harvested and sent to a domain with the same name as ESA’s legitimate one, BleepingComputer reports. The top-level domain, however, was different as instead of the usual .com TLD, the domain here was .pics.
As soon as Sansec spotted the attack, it notified ESA, which temporarily shut the shop down.
At press time, it was still offline, showing Error 503: Service Unavailable. “Our site is temporarily out of orbit for some exciting renovations,” the shop says. “Please fly by later.”
Responding to BleepingComputer’s request for comment, ESA said the store is not hosted on its infrastructure, and as such, it is not the one managing the data.
“This could be confirmed with a simple whois lookup, which show complete details for ESA’s domain (esa.int) and its web store, where contact data is redacted for privacy,” BleepingComputer concluded.
So far, no threat actors have assumed responsibility for this attack, and with this type of incident, they rarely do. However, Magecart is a globally known, infamous threat actor, that was observed installing credit card skimmers on major websites in the past.
The last time we heard of Magecart was in March 2023, when Malwarebytes speculated the group might be behind the attack on multiple online ecommerce stores.
When crooks use people’s credit cards, the victims can get a refund from their bank. However, cybercriminals can use the money to fund advertising campaigns that distribute more malware, and by the time the cards are locked and funds returned, the damage was already done.