Security News WebRTC Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Sites

Divergent

Divergent

Level 26
Thread author
Verified
Jul 26, 2025
1,481
4,826
2,468
Content source
https://thehackernews.com/2026/03/webrtc-skimmer-bypasses-csp-to-steal.html
Cybersecurity researchers have discovered a new payment skimmer that uses WebRTC data channels as a means to receive payloads and exfiltrate data, effectively bypassing security controls.

"Instead of the usual HTTP requests or image beacons, this malware uses WebRTC data channels to load its payload and exfiltrate stolen payment data," Sansec said in a report published this week.

The attack, which targeted a car maker's e-commerce website, is said to have been facilitated by PolyShell, a new vulnerability impacting Magento Open Source and Adobe Commerce that allows unauthenticated attackers to upload arbitrary executables via the REST API and achieve code execution.
Click to expand...

thehackernews.com

WebRTC Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Sites

WebRTC skimmer exploits PolyShell flaw since March 19, hitting 56.7% stores, enabling stealth data theft bypassing CSP.
thehackernews.com thehackernews.com
 
  • Like
Reactions: harlan4096 and Captain Awesome
Executive Summary

Confirmed Facts
Threat actors are actively exploiting a Magento/Adobe Commerce REST API vulnerability ("PolyShell") to inject JavaScript payment skimmers that exfiltrate data via WebRTC DataChannels over UDP port 3479.

Assessment
This technique deliberately bypasses standard Content Security Policy (CSP) directives, rendering traditional HTTP-based network security tools blind to the exfiltration.

Technical Analysis & Remediations

MITRE ATT&CK Mapping

T1190
Exploit Public-Facing Application (PolyShell initial access).

T1059.007
Command and Scripting Interpreter: JavaScript (Skimmer execution).

T1048.003
Exfiltration Over Alternative Protocol (WebRTC over DTLS-encrypted UDP).

CVE Profile
[NVD Score: Critical / Undefined in Source]
[CISA KEV Status: Active]
(Mass exploitation reported since March 19, 2026 ).

Telemetry

IPs
"202.181.177[.]177"

Directories
"pub/media/custom_options/"

Constraint
The structure suggests a lightweight, self-executing JavaScript function designed for memory execution within the browser, but without direct binary analysis, the exact payload size and full obfuscation methods remain unknown.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Initiate incident response protocols for all managed e-commerce platforms and notify compliance teams regarding potential PCI-DSS exposure.

DETECT (DE) – Monitoring & Analysis

Command
Query network telemetry for anomalous outbound UDP traffic on port 3479 originating from web server infrastructure.

Command
Scan Magento and Adobe Commerce environments for web shells, specifically within the "pub/media/custom_options/" directory.

RESPOND (RS) – Mitigation & Containment

Command
Block unauthorized outbound UDP traffic (specifically port 3479) at the perimeter firewall for all application servers.

Command
Restrict execution and write access to the "pub/media/custom_options/" directory immediately.

RECOVER (RC) – Restoration & Trust

Command
Apply Adobe Commerce patch version 2.4.9-beta1 (or the latest production equivalent) to remediate the underlying PolyShell vulnerability.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Evaluate implementing the experimental webrtc CSP directive, acknowledging current browser standardization limits, to harden against non-HTTP data channels.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
No immediate disconnection required; Environmental Reality Check confirms this threat targets enterprise e-commerce servers (Magento/Adobe Commerce), not default Windows or macOS operating systems.

Command
If you have recently made purchases on potentially compromised e-commerce sites, monitor your banking statements for unauthorized transactions.

Priority 2: Identity

Command
Consider requesting a new credit card or using virtual/single-use payment cards for online shopping until the broader PolyShell exploitation subsides.

Priority 3: Persistence

Command
N/A. The malicious script resides on the compromised server and executes temporarily in browser memory during checkout, leaving no persistence mechanisms on the consumer's local machine.

Hardening & References

Baseline
CIS Benchmarks for Web Server Security (Apache/Nginx).

Framework
NIST CSF 2.0 / SP 800-61r3.

Source

Sansec Threat Research

The Hacker News
Click to expand...
 
  • Like
Reactions: harlan4096

You may also like...