Key Findings

• Sansec researchers discovered a novel payment skimmer using WebRTC data channels to steal and exfiltrate payment data instead of traditional HTTP requests

• The skimmer exploits the PolyShell vulnerability in Magento and Adobe Commerce to inject malicious code on e-commerce sites

• WebRTC connections bypass Content Security Policy rules and use encrypted UDP traffic, making detection significantly more difficult than traditional skimmers

• Since March 19, 2026, the vulnerability has been exploited from over 50 IPs with attacks affecting more than half of vulnerable stores

• The attack uses a hardcoded attacker server at 202.181.177[.]177 over UDP port 3479 to establish encrypted data channels

Background

Sansec identified this skimmer targeting a car maker's e-commerce site. This represents the first documented case of WebRTC being used as a skimming channel. The discovery highlights a significant gap in current security defenses, as most organizations lack WebRTC-specific controls and monitoring capabilities.

Attack Mechanism

The skimmer operates as a self-executing script that creates a WebRTC connection directly to the attacker's server, completely bypassing traditional web infrastructure. Unlike typical skimmers that require a signaling server, this malware forges the entire connection setup locally and connects directly over an encrypted DataChannel. Once connected, it receives malicious JavaScript in chunks that are executed when the connection closes or after a short delay.

Evasion Techniques

The payload employs multiple anti-detection strategies. It steals valid CSP nonces from existing scripts to inject its payload while bypassing strict security policies. If that method fails, it falls back to alternative execution techniques. The malicious code runs during periods of browser idle time to minimize detection risk, and the encrypted UDP traffic makes it invisible to network security tools that only inspect HTTP communications.

Security Implications

WebRTC connections operate outside the scope of standard Content Security Policy rules, creating a fundamental protection gap. Most websites lack WebRTC-specific security controls, leaving them exposed even with otherwise robust security measures in place. The use of DTLS-encrypted UDP traffic means that traditional network monitoring solutions cannot detect stolen payment data being transmitted to attacker servers.

Sources

• https://securityaffairs.com/190002/malware/researchers-uncover-webrtc-skimmer-bypassing-traditional-defenses.html

• https://x.com/shah_sheikh/status/2037134645079199984

• https://x.com/hackplayers/status/2037137512322216333