""Instead of the usual HTTP requests or image beacons, this malware uses WebRTC data channels to load its payload and exfiltrate stolen payment data," Sansec said in a report published this week."
""A store with a strict CSP that blocks all unauthorized HTTP connections is still wide open to WebRTC-based exfiltration," Sansec noted. "The traffic itself is also harder to detect. WebRTC DataChannels run over DTLS-encrypted UDP, not HTTP.""
""The skimmer is designed as a self-executing script that establishes a WebRTC peer connection to a hard-coded IP address over UDP port 3479 and retrieves JavaScript code that's subsequently injected into the web page for stealing payment information.""
Researchers identified a payment skimmer that utilizes WebRTC data channels for payload delivery and data exfiltration, circumventing security controls. This malware targets e-commerce sites, exploiting the PolyShell vulnerability in Magento and Adobe Commerce, allowing unauthorized code execution. Since March 19, 2026, over 50 IP addresses have been involved in scanning for this vulnerability, affecting 56.7% of vulnerable stores. The skimmer operates through a self-executing script that connects to a specific IP address, making detection difficult due to encrypted traffic.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]