WebRTC Skimmer - Bypasses CSP to Steal Payment Data
Basically, a new type of malware steals payment info from online stores using a clever trick.
A new WebRTC skimmer is stealing payment data from e-commerce sites by bypassing security controls. This malware exploits vulnerabilities in Magento, affecting many online stores. Site owners must act quickly to protect their customers and secure their platforms.
What Happened
Cybersecurity researchers have uncovered a new payment skimmer that utilizes WebRTC data channels to bypass traditional security measures. Unlike conventional methods that rely on HTTP requests or image beacons, this skimmer loads its malicious payload through WebRTC, making it harder to detect. The attack was notably demonstrated on a car maker's e-commerce site, showcasing the evolving tactics of cybercriminals.
The skimmer operates by establishing a WebRTC peer connection to a hard-coded IP address over UDP port 3479. This connection allows it to retrieve JavaScript code that is injected into the webpage, ultimately stealing sensitive payment information from unsuspecting customers. The use of WebRTC marks a significant shift in skimmer technology, as it can evade Content Security Policy (CSP) directives designed to protect against unauthorized data exfiltration.
Who's Being Targeted
The primary targets of this attack are e-commerce platforms, particularly those using Magento Open Source and Adobe Commerce. The vulnerability, known as PolyShell, enables unauthenticated attackers to upload arbitrary executables via the REST API, leading to potential code execution. Since March 19, 2026, this vulnerability has seen mass exploitation, with over 50 IP addresses actively participating in scanning activities.
Sansec, the Dutch security firm that reported this issue, found that 56.7% of all vulnerable stores have been subjected to PolyShell attacks. This widespread targeting indicates a serious threat to online retailers, especially those with lax security measures.
Signs of Infection
Detecting this skimmer can be particularly challenging due to its unique method of data exfiltration. Since WebRTC DataChannels run over DTLS-encrypted UDP, the stolen data does not appear in typical HTTP traffic logs. This makes it difficult for network security tools that primarily inspect HTTP traffic to identify anomalies or breaches. E-commerce site owners should be vigilant for signs of unauthorized code execution or unexpected data flows.
How to Protect Yourself
To mitigate the risks associated with this new skimmer, site owners should take immediate action. Adobe released a fix for the PolyShell vulnerability in version 2.4.9-beta1 on March 10, 2026. However, this patch has not yet been implemented in production versions. Therefore, it is crucial for site administrators to:
- Block access to the pub/media/custom_options/ directory.
- Regularly scan their stores for web shells, backdoors, and other malware.
By implementing these measures, e-commerce platforms can better protect themselves against this sophisticated skimming attack and safeguard their customers' payment information.