The European Space Agency’s (ESA) official web shop has fallen victim to a cyberattack, resulting in the theft of customer payment card details during transactions. The breach, identified by e-commerce security firm Sansec, involved a malicious JavaScript code embedded into the store’s checkout process, redirecting customers to a counterfeit payment page.
Malicious script redirects customers to fake payment page
The fake payment page, which mimicked a legitimate Stripe interface, was served directly from ESA’s web shop, making it appear authentic to unsuspecting users. The attack exploited domain spoofing, using a near-identical domain name. While ESA’s official shop operates under “esaspaceshop.com,” the attackers employed “esaspaceshop.pics,” leveraging a different top-level domain to deceive visitors.
Sansec, which flagged the incident, emphasised that the integration of the web shop with ESA’s internal systems could increase the potential risks to the agency’s employees as well as its customers. A further analysis of the malicious script revealed obfuscated HTML code derived from the legitimate Stripe SDK, complicating detection and facilitating the theft of sensitive payment information.
The ESA web shop, which sells branded merchandise associated with the agency’s €10bn space exploration mission, has been taken offline. It currently displays a notice stating it is “temporarily out of orbit.” No official comment has been issued by ESA regarding the breach or the measures being taken to address the situation.
Source Defense Research, a web application security firm, confirmed Sansec’s findings and documented the fraudulent payment page as it appeared on the store’s checkout process. The company also noted the sophistication of the attack, which was designed to appear credible to victims.
The breach has raised questions about the extent of data theft and the number of affected customers. While investigations are ongoing, customers who have recently made purchases are advised to check their payment card statements for unauthorised activity.
ESA, known for its work in astronaut training and satellite launches, has yet to provide details about how it plans to strengthen its online security measures following the incident. The attack highlights the vulnerability of even well-regarded institutions to cyber threats, especially when e-commerce systems are integrated with broader organisational networks.
As the fallout continues, cybersecurity experts are urging e-commerce platforms to prioritise robust security protocols to prevent similar incidents, which can erode customer trust and lead to significant financial repercussions.
Recent months have seen a rise in cyberattacks targeting e-commerce platforms, with criminals employing digital skimming techniques to steal payment data. In August 2024, Malwarebytes reported skimmer code infiltrating Magento-based stores, exposing sensitive customer information, including credit card details. By November 2024, Sucuri identified PHP-based skimmers like Smilodon, which covertly harvest payment data, with their obfuscated nature complicating detection. In December 2024, Finland’s Cybersecurity Centre warned of increasing skimming threats, where malicious code on payment pages steals credit card details. These incidents highlight the urgency for e-commerce platforms to adopt stricter security measures to safeguard customer data.
Read more: The biggest cyberattacks of 2023
