The ESA was hit with a Magecart Attack during Christmas 2024 that resulted in the organisation having to take down their online store, with impact continuing into 2025. As is now tradition with these Magecart attacks, the hackers used a simple but highly effective JavaScript payload injected into the ESA site to carry out their attack.
Our founder wrote a detailed analysis of the JavaScript payload, and explained how Report URI could have detected and stopped the attack on mulitple fronts. We now also own the domain used to load the Magecart keylogger, and to exfiltrate the stolen customer data, which has been repurposed to redirect to this case study. You can try it out here:
There are only two, simple steps required for a Magecart attack to succeed and if an attacker can complete both of them, the impact can be significant.
It isn't clear how the attackers were able to inject their malicious JavaScript into the ESA site, but they found a way. The simple bootstrap they injected was used to detect when the user was on the checkout page and then trigger the loading of the full payload.
The full payload was loaded from esaspaceshop.pics and the customer payment card information was then skimmed and exfiltrated to that same domain for the attackers to collect.
Using a Content Security Policy, organisations can take strict control of what JavaScript dependencies are expected and permitted to load across their site and with Script Watch, you can even monitor those dependencies on an ongoing basis and be notified about any changes. Whilst the ESA attack saw the use of both inline JavaScript and externally loaded assets, we could have still neutralised this attack by detecting and blocking both.
As an e-commerce site, it was part of the normal operation of the site for a customer to enter their Cardholder Data, along with other sensitive data like their name and address, into the page. The page then needs to send this data somewhere to be processed and this is another point at which the attack could have been reliably detected.
The attackers registered used the same domain, esaspaceshop.pics to act as a Drop Server, a location where the skimmed customer data could be sent for the attackers to retrieve. This means in order to exfiltrate the CHD or PII from the page, the page needed to communicate with esaspaceshop.pics and this could have been detected or even blocked.
Leaking sensitive data like CHD or PII can attract the attention of Privacy Regulators, especially in light of recent regulation like GDPR, and attract heavy fines like that of the ICO, the data regulator in the UK, issued to both British Airways and Ticketmaster in the past.
You don't need to spend time developing and maturing a Content Security Policy to work perfectly on your site in order to leverage our tooling. To use products like Script Watch or Data Watch, you can get started with auditing your JavaScript Dependencies and Data Exfiltration Endpoints with a single line of code or config.
Once that single line of code or config is deployed, we can establish a baseline for your site and then our Script Watch and Data Watch products will monitor and alert you to any changes on your site for you to investigate immediately. Often, one of the most damaging aspects of a Magecart attack is that they can go undetected for days, weeks or even months, increasing the scale of the Data Breach as they go.
In addition to this, we have a selection of features and tools detailed below that will help you get started with CSP and work through to enforcing a policy across your whole site, but please reach out to sales@report-uri.com if you need more information. We can offer a demo and free trial period with no commitment for you to get started.
Script Watch will monitor all JavaScript dependencies across your entire site and immediately notify you of any changes. A new JavaScript dependency could be the start of a Magecart attack.
Because Script Watch leverages the browser native Content Security Policy, there is no code or agent to deploy and running in the browser means we analyse your site in real-time as your users are browsing. We don't have the same limitations as external scanning services such as authentication or pay walls, geo-sensitive content or an attacker potentially serving safe content to the crawler.
Data Watch will monitor all of the locations that your webpages are sending data to. If your website starts sending data to a new location, it could be the start of a Magecart attack.
With Script Watch and Data Watch combined, you can monitor for clear indicators that your site has been compromised. Attackers will always want to inject their hostile JavaScript, and they'll always want to exfiltrate their stolen data.
We often find that creating a CSP is the first difficult step that organisations face. Having a complete list of all resource dependencies across your entire site like images, scripts or styles, from both 1st-party and 3rd-party locations, is tough to achieve.
The CSP Wizard was created to solve this problem, and in seven days or less, it can you give a complete list of all resources used across your entire site.
With the list of all resources you use on your site, and our easy to use tool, creating a viable Content Security Policy is easier than ever with just a few clicks.
All Content Security Policies will need to be tweaked at some point. New resources may be added to the site or old resources removed, and the policy needs to be updated to reflect those changes and kept up to date.
You can import your existing policy into the CSP Builder and use our fully featured tool to make any changes that you require right there in the UI. When you're done, hit Generate, and the CSP Builder will provide you with your new, updated policy.
Script Watch and Data Watch will allow you to rapidly detect and respond to a Magecart attack and combined, that capability puts you ahead of the field. If you want to take it a step further, Content Security Policy can mitigate a Magecart attack and stop it from even happening.
Deploying an effective Content Security Policy can be difficult, but our CSP Reporting allows you to gather feedback and safely test a policy before deployment. Once deployed, an effective Content Security Policy will block a Magecart attack and stop the hostile JavaScript from even running.
We subscribe to various feeds of Threat Intelligence data, along with managing our own internally generated feeds, to keep apprised of the latest threats that exist online.
Using this Threat Intelligence Data, we can better analyse the sources of JavaScript on your website and detect malicious activity sooner.