Cybersecurity experts have uncovered a sophisticated skimmer that leverages WebRTC data channels to infiltrate and extract payment information from e-commerce websites. This new tactic enables the malware to circumvent traditional security barriers.
Innovative Skimmer Exploits WebRTC
Sansec, a renowned security firm, reported that this skimmer diverges from typical HTTP-based methods by utilizing WebRTC data channels. This technique allows the malware to load its harmful payload and transmit stolen data without being detected by standard security measures.
The skimmer specifically targeted a car manufacturer’s online store, exploiting a vulnerability known as PolyShell. This flaw affects platforms like Magento Open Source and Adobe Commerce, allowing unauthorized users to execute code by uploading arbitrary files through the REST API.
Widespread Vulnerability Exploitation
Since March 19, 2026, the PolyShell vulnerability has been extensively exploited, with over 50 IP addresses identified in related scanning activities. Sansec noted that approximately 56.7% of susceptible e-commerce sites have been compromised by these attacks.
The skimmer operates by establishing a WebRTC peer connection to a specific IP address (“202.181.177[.]177”) over UDP port 3479. It then injects JavaScript into the webpage to capture payment data, highlighting a major evolution in skimming techniques.
Challenges in Detecting WebRTC Skimmers
The use of WebRTC presents significant challenges for conventional content security policies (CSP). Even stringent CSP settings that block unauthorized HTTP traffic are vulnerable to WebRTC-based data theft. The data channels run over DTLS-encrypted UDP, making it difficult for network security tools focused on HTTP traffic to detect this activity.
Adobe addressed the PolyShell vulnerability with a patch in version 2.4.9-beta1, released on March 10, 2026. However, this fix has not yet been implemented in production environments, leaving many sites exposed.
Recommended Security Measures
To mitigate these risks, site administrators are advised to block access to the “pub/media/custom_options/” directory and conduct thorough scans for web shells, backdoors, and other malicious software. Such proactive measures are crucial in safeguarding e-commerce platforms from these advanced skimmer attacks.
In conclusion, the emergence of WebRTC-based skimmers underscores the need for continuous advancements in cybersecurity practices. As attackers become more sophisticated, so too must the strategies employed to defend against them.
