New WebRTC-Based Payment Skimmer Bypasses Security Controls in Major E-Commerce Attack
Cybersecurity researchers at Sansec have uncovered a sophisticated payment skimmer that leverages WebRTC data channels to exfiltrate stolen payment data, evading traditional security measures. Unlike conventional skimmers that rely on HTTP requests or image beacons, this malware establishes a peer-to-peer WebRTC connection to transmit payloads and stolen information, making detection significantly harder.
The attack targeted an e-commerce website of a car manufacturer and exploited PolyShell, a critical vulnerability in Magento Open Source and Adobe Commerce. The flaw allows unauthenticated attackers to upload arbitrary executables via the REST API, enabling remote code execution. Since March 19, 2026, the vulnerability has been massively exploited, with over 50 IP addresses scanning for vulnerable stores. Sansec reports that 56.7% of all exposed stores have already been compromised.
The skimmer operates as a self-executing script that connects to a hard-coded IP address (202.181.177[.]177) over UDP port 3479 using WebRTC. Once connected, it retrieves malicious JavaScript code, injecting it into the webpage to steal payment details. The use of DTLS-encrypted UDP traffic rather than HTTP allows the attack to bypass Content Security Policy (CSP) restrictions, rendering many network security tools ineffective.
Adobe released a beta patch (version 2.4.9-beta1) on March 10, 2026, but the fix has yet to reach production versions. While mitigations include blocking access to the pub/media/custom_options/ directory and scanning for web shells, the attack highlights a growing trend of skimmers exploiting non-HTTP protocols to evade detection.
Source: https://thehackernews.com/2026/03/webrtc-skimmer-bypasses-csp-to-steal.html
Adobe Commerce cybersecurity rating report: https://www.rankiteo.com/company/adobe-commerce
CMB Automotive Group Ltd. cybersecurity rating report: https://www.rankiteo.com/company/cmbautomotive
"id": "ADOCMB1774536907",
"linkid": "adobe-commerce, cmbautomotive",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Automotive',
'name': 'Unnamed car manufacturer',
'type': 'E-commerce website'}],
'attack_vector': 'Exploitation of Magento/Adobe Commerce REST API '
'vulnerability (PolyShell)',
'data_breach': {'data_encryption': 'DTLS-encrypted UDP traffic',
'data_exfiltration': 'Yes (via WebRTC data channels)',
'personally_identifiable_information': 'Payment information',
'sensitivity_of_data': 'High (payment information)',
'type_of_data_compromised': 'Payment details'},
'date_detected': '2026-03-19',
'description': 'Cybersecurity researchers at Sansec uncovered a sophisticated '
'payment skimmer leveraging WebRTC data channels to exfiltrate '
'stolen payment data, evading traditional security measures. '
'The attack targeted an e-commerce website of a car '
'manufacturer and exploited a critical vulnerability in '
'Magento Open Source and Adobe Commerce, allowing '
'unauthenticated attackers to upload arbitrary executables via '
'the REST API, enabling remote code execution.',
'impact': {'brand_reputation_impact': 'High (public disclosure of breach)',
'data_compromised': 'Payment details',
'identity_theft_risk': 'High (payment information stolen)',
'operational_impact': 'Potential unauthorized code execution and '
'data exfiltration',
'payment_information_risk': 'High',
'systems_affected': 'E-commerce website (Magento/Adobe Commerce)'},
'initial_access_broker': {'entry_point': 'Magento/Adobe Commerce REST API '
'vulnerability (PolyShell)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Growing trend of skimmers exploiting non-HTTP protocols '
'(e.g., WebRTC) to evade detection; need for stricter API '
'security and real-time monitoring of peer-to-peer '
'connections.',
'motivation': 'Financial gain (payment data theft)',
'post_incident_analysis': {'corrective_actions': 'Patch management, enhanced '
'API security, WebRTC '
'traffic monitoring, and CSP '
'bypass-resistant security '
'tools.',
'root_causes': 'Unpatched Magento/Adobe Commerce '
'vulnerability (PolyShell), lack of '
'real-time monitoring for '
'WebRTC-based exfiltration, '
'insufficient API security '
'controls.'},
'recommendations': "Apply Adobe's beta patch (2.4.9-beta1), block access to "
'*pub/media/custom_options/*, scan for web shells, '
'implement CSP bypass-resistant security tools, and '
'monitor UDP traffic for anomalous WebRTC connections.',
'references': [{'source': 'Sansec'}],
'response': {'containment_measures': 'Blocking access to '
'*pub/media/custom_options/* directory, '
'scanning for web shells',
'remediation_measures': 'Adobe beta patch (version 2.4.9-beta1)',
'third_party_assistance': 'Sansec (cybersecurity researchers)'},
'title': 'New WebRTC-Based Payment Skimmer Bypasses Security Controls in '
'Major E-Commerce Attack',
'type': 'Payment Skimmer Attack',
'vulnerability_exploited': 'CVE-2026-XXXXX (PolyShell - unauthenticated '
'arbitrary file upload via REST API)'}