- Security researchers found malicious script in ESA webstore
- The script creates a fake Stripe page at checkout, obtaining payment data
- The store is currently unavailable.
The European Space Agency (ESA) website was recently compromised with a credit card skimmer, putting countless people at risk of electronic fraud.
Sansec researchers detected a malicious script in the ESA webstore and determined that it creates a fake Stripe payment page at checkout, where it collects customer information.
Payment data, including sensitive credit card information, was also being collected, making this attack particularly dangerous.
Out of ESA control?
The confidential data was collected and sent to a domain with the same name as the legitimate ESA, beepcomputer information. The top-level domain, however, was different as instead of the usual .com TLD, the domain here was .pics.
As soon as Sansec detected the attack, it notified the ESA, which temporarily closed the store.
At the time of this post, it was still offline and showing Error 503: Service Unavailable. “Our site is temporarily out of orbit for some exciting renovations,” the store says. “Please fly by later.”
Responding to beepcomputerIn the request for comment, the ESA said that the store is not hosted on its infrastructure and, as such, it is not the one managing the data.
“This could be confirmed with a simple whois search, which shows full details of the ESA domain (esa.int) and its webstore, where contact details are removed for privacy reasons.” beepcomputer he concluded.
So far, no threat actors have taken responsibility for this attack, and in these types of incidents, they rarely do. However, Magecart is an infamous and world-known threat actor, which was observed installing credit card skimmers on major websites in the past.
The last time we heard from Magecart was in March 2023, when Malwarebytes speculated that the group could be behind the attack on multiple online e-commerce stores.
When criminals use people’s credit cards, victims can get a refund from their bank. However, cybercriminals can use the money to fund advertising campaigns that distribute more malware, and by the time the cards are blocked and the funds returned, the damage is done.
