CP
cyberpings
Malware & RansomwareHIGH

Malware - Researchers Discover WebRTC Payment Skimmer

SASecurity Affairs
WebRTCpayment skimmerSansecMagentoAdobe Commerce
🎯

Basically, a new type of malware uses a special web tool to steal payment information without being detected.

Quick Summary

A new WebRTC skimmer has been discovered, allowing attackers to steal payment data while bypassing traditional security measures. E-commerce sites are at risk, making it crucial for businesses to enhance their defenses against this sophisticated malware.

What Happened

Sansec researchers have discovered a sophisticated new payment skimmer that utilizes WebRTC data channels to steal payment information. This skimmer is unique because it bypasses traditional security controls that typically defend against such attacks. Instead of relying on standard web requests, it uses WebRTC to load malicious code and exfiltrate stolen data, making detection much harder for security systems.

The attack was first observed targeting a car manufacturer's e-commerce site, exploiting a vulnerability in Magento and Adobe Commerce known as PolyShell. This flaw allows attackers to upload malicious files and execute code without proper authentication. Since March 19, 2026, the vulnerability has been widely exploited, affecting numerous online stores.

Who's Being Targeted

The primary target of this skimmer is e-commerce platforms, particularly those using Magento and Adobe Commerce. The WebRTC skimmer is designed to evade detection by traditional security measures, making it particularly dangerous for online retailers. With over 50 IP addresses involved in scanning and attacks, the impact is widespread, affecting more than half of vulnerable stores.

This attack method is alarming because it indicates a shift in tactics among cybercriminals. They are increasingly using advanced techniques to bypass established security protocols, putting sensitive payment data at risk.

Signs of Infection

Identifying this new skimmer can be challenging due to its stealthy operation. The malware establishes a WebRTC connection to a hardcoded attacker server, which allows it to bypass standard web controls. Once connected, it can receive and execute malicious JavaScript quietly, often during periods of browser idle time.

Indicators of compromise (IoCs) include unusual outbound traffic to specific IP addresses and unexpected JavaScript execution on payment pages. Network security tools may struggle to detect this traffic since WebRTC uses DTLS-encrypted UDP, which is not monitored by typical HTTP traffic inspection tools.

How to Protect Yourself

To defend against this emerging threat, e-commerce sites should implement robust security measures. This includes keeping all software up to date and applying patches for known vulnerabilities like the PolyShell flaw. Employing advanced threat detection systems that can analyze WebRTC traffic is also crucial.

Additionally, website owners should review their Content Security Policy (CSP) settings to ensure they are configured to block unauthorized WebRTC connections. Regular security audits and monitoring for unusual activity can help in identifying potential skimmer infections early, reducing the risk of data theft.

🔒 Pro insight: The use of WebRTC for skimming marks a significant evolution in malware tactics, necessitating immediate updates to security protocols.

Original article from

Security Affairs · Pierluigi Paganini

Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Coruna iOS Kit - New Mass Attacks Using Triangulation Code

The Coruna iOS exploit kit is using old Triangulation code for new mass attacks. Millions of iPhone users are at risk as cybercriminals exploit these vulnerabilities. Stay updated and vigilant to protect your devices.

The Hacker News·
HIGHMalware & Ransomware

RedLine Infostealer - Suspected Admin Extradited to US

A suspect in the RedLine infostealer malware case has been extradited to the US. Hambardzum Minasyan faces serious charges for his role in the operation. This highlights ongoing efforts to combat cybercrime globally. Stay vigilant against such threats.

BleepingComputer·
HIGHMalware & Ransomware

Pay2Key Ransomware - Iran-Linked Group Resurfaces with Tactics

The Iranian Pay2Key ransomware group is back, targeting US healthcare providers with advanced tactics. Their resurgence amid geopolitical tensions raises significant risks for various sectors. Organizations must stay vigilant and proactive to defend against these evolving threats.

Infosecurity Magazine·
HIGHMalware & Ransomware

RedLine Malware - Alleged Administrator Extradited to US

Hambardzum Minasyan has been extradited to the US for his role in the RedLine malware operation. This malware steals sensitive information from users. His actions highlight the ongoing threat posed by infostealer malware in today's digital landscape.

SecurityWeek·
HIGHMalware & Ransomware

Kiss Loader Malware - New Threat Using APC Injection Detected

Kiss Loader malware has been detected, using advanced techniques to infiltrate Windows systems. Users are at risk if they open unverified files. Security teams must act quickly to mitigate this threat.

Cyber Security News·
HIGHMalware & Ransomware

WebRTC Skimmer - Bypasses CSP to Steal Payment Data

A new WebRTC skimmer is stealing payment data from e-commerce sites by bypassing security controls. This malware exploits vulnerabilities in Magento, affecting many online stores. Site owners must act quickly to protect their customers and secure their platforms.

The Hacker News·