Researchers found a new skimmer using WebRTC to steal and send payment data, bypassing traditional security controls.

Sansec researchers discovered a new payment skimmer that uses WebRTC data channels instead of typical web requests to load malicious code and exfiltrate stolen payment data.

“What sets this attack apart is the skimmer itself. Instead of the usual HTTP requests or image beacons, this malware uses WebRTC DataChannels to load its payload and exfiltrate stolen payment data.” reported Sansec. “This is the first time Sansec has observed WebRTC used as a skimming channel.”

This technique helps it evade standard security defenses, making detection more difficult compared to traditional skimmers. The researchers pointed out that WebRTC connections are not controlled by standard Content Security Policy rules, allowing attackers to bypass protections even on secure sites. Since support for WebRTC-specific controls is limited and rarely used, most sites remain exposed.

Additionally, WebRTC uses encrypted UDP traffic instead of HTTP, making it harder for network security tools to detect stolen data being transmitted.

The attack targeted a car maker’s e-commerce site by exploiting the PolyShell vulnerability in Magento and Adobe Commerce, which allows attackers to upload malicious files and execute code without authentication. Since March 19, 2026, the flaw has been widely exploited, with scanning from over 50 IPs and attacks affecting more than half of vulnerable stores.

The skimmer is a self-executing script that creates a WebRTC connection to a hardcoded attacker server (“202.181.177[.]177” over UDP port 3479), bypassing traditional web controls.

It forges the entire connection setup locally, avoiding the need for a signaling server, and directly connects to the attacker’s IP over an encrypted DataChannel.

Once connected, it receives malicious JavaScript in chunks, stores it, and executes it when the connection closes or after a short delay. To evade defenses, it steals a valid CSP nonce from existing scripts and uses it to inject the payload, bypassing strict security policies. If that fails, it falls back to other execution methods.

The payload runs quietly during browser idle time, reducing detection risk, and enables attackers to inject code into the page to steal sensitive data such as payment information.

“The traffic itself is also harder to detect. WebRTC DataChannels run over DTLS-encrypted UDP, not HTTP. Network security tools that inspect HTTP traffic will never see the stolen data leave.” concludes the report that also provides Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, skimmer)

Researchers have been tracking a Magecart campaign that targets several major payment providers, including American Express, Diners Club, Discover, and Mastercard.

Magecart is an umbrella term for criminal groups that specialize in stealing payment data from online checkout pages using malicious JavaScript, a technique known as web skimming.

In the early days, Magecart started as a loose coalition of threat actors targeting Magento‑based web stores. Today, the name is used more broadly to describe web-skimming operations against many e‑commerce platforms. In these attacks, criminals inject JavaScript into legitimate checkout pages to capture card data and personal details as shoppers enter them.

The campaign described by the researchers has been active since early 2022. They found a vast network of domains related to a long-running credit card skimming operation with a wide reach.

“This campaign utilizes scripts targeting at least six major payment network providers: American Express, Diners Club, Discover (a subsidiary of Capital One), JCB Co., Ltd., Mastercard, and UnionPay. Enterprise organizations that are clients of these payment providers are the most likely to be impacted.”

Attackers typically plant web skimmers on e-commerce sites by exploiting vulnerabilities in supply chains, third-party scripts, or the sites themselves. This is why web shop owners need to stay vigilant by keeping systems up to date and monitoring their content management system (CMS).

Web skimmers usually hook into the checkout flow using JavaScript. They are designed to read form fields containing card numbers, expiry dates, card verification codes (CVC), and billing or shipping details, then send that data to the attackers.

To avoid detection, the JavaScript is heavily obfuscated to and may even trigger a self‑destruct routine to remove the skimmer from the page. This can cause investigations performed through an admin session to appear unsuspicious.

Besides other methods to stay hidden, the campaign uses bulletproof hosting for a stable environment. Bulletproof hosting refers to web hosting services designed to shield cybercriminals by deliberately ignoring abuse complaints, takedown requests, and law enforcement actions.

How to stay safe

Magecart campaigns affect three groups: customers, merchants, and payment providers. Because web skimmers operate inside the browser, they can bypass many traditional server‑side fraud controls.

While shoppers cannot fix compromised checkout pages themselves, they can reduce their exposure and improve their chances of spotting fraud early.

A few things you can protect against the risk of web skimmers:

• Use virtual or single‑use cards for online purchases so any skimmed card number has a limited lifetime and spending scope.
• Where possible, turn on transaction alerts (SMS, email, or app push) for card activity and review statements regularly to spot unsolicited charges quickly.
• Use strong, unique passwords on bank and card portals so attackers cannot easily pivot from stolen card data to full account takeover.
• Use a web protection solution to avoid connecting to malicious domains.

Pro tip: Malwarebytes Browser Guard is free and blocks known malicious sites and scripts.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.