π―There's a new kind of online thief that uses a sneaky method to steal your payment info while you shop online. They use a special technology that makes it hard for security tools to catch them. If you run an online store, make sure to update your security to protect your customers!
What Happened
Cybersecurity researchers have uncovered a new payment skimmer that utilizes WebRTC data channels to bypass traditional security measures. Unlike conventional methods that rely on HTTP requests or image beacons, this skimmer loads its malicious payload through WebRTC, making it harder to detect. The attack was notably demonstrated on a car maker's e-commerce site, showcasing the evolving tactics of cybercriminals.
The skimmer operates by establishing a WebRTC peer connection to a hard-coded IP address over UDP port 3479. This connection allows it to retrieve JavaScript code that is injected into the webpage, ultimately stealing sensitive payment information from unsuspecting customers. The use of WebRTC marks a significant shift in skimmer technology, as it can evade Content Security Policy (CSP) directives designed to protect against unauthorized data exfiltration.
Who's Being Targeted
The primary targets of this attack are e-commerce platforms, particularly those using Magento Open Source and Adobe Commerce. The vulnerability, known as PolyShell, enables unauthenticated attackers to upload arbitrary executables via the REST API, leading to potential code execution. Since March 19, 2026, this vulnerability has seen mass exploitation, with over 50 IP addresses actively participating in scanning activities. Sansec, the Dutch security firm that reported this issue, found that 56.7% of all vulnerable stores have been subjected to PolyShell attacks. This widespread targeting indicates a serious threat to online retailers, especially those with lax security measures.
Signs of Infection
Detecting this skimmer can be particularly challenging due to its unique method of data exfiltration. Since WebRTC DataChannels run over DTLS-encrypted UDP, the stolen data does not appear in typical HTTP traffic logs. This makes it difficult for network security tools that primarily inspect HTTP traffic to identify anomalies or breaches. E-commerce site owners should be vigilant for signs of unauthorized code execution or unexpected data flows.
How to Protect Yourself
To mitigate the risks associated with this new skimmer, site owners should take immediate action. Adobe released a fix for the PolyShell vulnerability in version 2.4.9-beta1 on March 10, 2026. However, this patch has not yet been implemented in production versions. Therefore, it is crucial for site administrators to: Additionally, site owners are advised to implement immediate mitigations to protect against ongoing threats and potential data breaches. By implementing these measures, e-commerce platforms can better protect themselves against this sophisticated skimming attack and safeguard their customers' payment information.
Detection
- 1.Block access to the pub/media/custom_options/ directory.
Removal
The evolving tactics of cybercriminals, such as the use of WebRTC for data exfiltration, highlight the need for e-commerce platforms to enhance their security measures and stay updated with patches.
