Payment Skimmer Abuses WebRTC Channels to Bypass CSP and Steal Card Data

Security researchers at Sansec have uncovered a payment skimmer that represents a significant technical evolution in how attackers steal card data from online stores. Instead of relying on conventional HTTP requests or image beacons to exfiltrate stolen information, the malware abuses WebRTC data channels — a technique that renders Content Security Policy (CSP) directives effectively useless.

The skimmer was discovered on a car manufacturer's e-commerce website and operates as a self-executing script. Once active, it establishes a WebRTC peer connection to a hardcoded IP address (202.181.177[.]177) over UDP port 3479. Through this channel, it retrieves additional JavaScript that gets injected into the page to harvest payment information at checkout.

The technique is particularly dangerous because WebRTC data channels run over DTLS-encrypted UDP rather than HTTP. Network security tools that inspect HTTP traffic — which is most of them — will never see the stolen data leaving the network. Even stores with strict CSP configurations that block all unauthorized HTTP connections remain fully exposed to this exfiltration method.

The initial compromise vector is PolyShell, a critical vulnerability in Magento Open Source and Adobe Commerce that allows unauthenticated attackers to upload arbitrary executables via the REST API and achieve remote code execution. The flaw has been under mass exploitation since March 19, with Sansec identifying more than 50 IP addresses actively scanning for vulnerable stores. The company reports that 56.7% of all vulnerable Magento/Adobe Commerce stores have already been targeted.

Adobe addressed PolyShell in version 2.4.9-beta1 released on March 10, but the fix has not yet reached production versions — leaving a wide window of exposure for store operators still running vulnerable builds.

What Defenders Should Do:

Magento and Adobe Commerce operators should immediately block access to the pub/media/custom_options/ directory and conduct thorough scans for web shells, backdoors, and injected scripts. Monitor for unusual outbound UDP traffic, particularly to unfamiliar IP addresses on non-standard ports. Traditional HTTP-focused monitoring will not catch WebRTC-based exfiltration, so network detection rules need to account for DTLS-encrypted UDP channels. Apply the PolyShell patch as soon as a production-ready version is available.