Cybersecurity researchers have discovered a new payment skimmer that uses WebRTC data channels as a means to receive payloads and leak data, effectively bypassing security controls.
“Instead of regular HTTP requests or image beacons, this malware uses WebRTC data channels to load its payload and exfiltrate stolen payment data,” Sansec said in a report released this week.
The attack targeted an automaker’s e-commerce website and was said to be facilitated by PolyShell. PolyShell is a new vulnerability affecting Magento open source and Adobe Commerce that allows an unauthenticated attacker to upload arbitrary executable files and execute code via the REST API.
Notably, this vulnerability has been heavily exploited since March 19, 2026, with over 50 IP addresses participating in scanning activity. A Dutch security company announced that PolyShell attacks were discovered against 56.7% of all vulnerable stores.
The skimmer is designed as a self-running script that establishes a WebRTC peer connection to a hard-coded IP address (‘202.181.177’).[.]177″) over UDP port 3479, and then JavaScript code that is injected into web pages to steal payment information.
The use of WebRTC represents a significant evolution in skimmer attacks as it bypasses Content Security Policy (CSP) directives.
“Stores with strict CSPs that block all unauthorized HTTP connections are still at risk of WebRTC-based breaches,” Sansec noted. “The traffic itself is also difficult to detect. WebRTC DataChannel runs over DTLS-encrypted UDP, not HTTP. Network security tools that inspect HTTP traffic will never expose stolen data.”
Adobe released a fix for PolyShell in version 2.4.9-beta1 released on March 10, 2026. However, the patch has not yet been applied to the retail version.
As a mitigation measure, site owners are encouraged to block access to the ‘pub/media/custom_options/’ directory and scan their stores for web shells, backdoors, and other malware.
Source link
