WebRTC Skimmer
Cybersecurity researchers have identified an advanced payment skimmer that leverages WebRTC DataChannels to stealthily retrieve malicious payloads and exfiltrate sensitive data. Unlike traditional skimmers that rely on HTTP requests or image beacons, this variant operates outside conventional web traffic patterns, significantly complicating detection efforts.
Table of Contents
Exploitation Entry Point: The PolyShell Vulnerability
The attack campaign was traced back to the exploitation of PolyShell, a critical vulnerability affecting Magento Open Source and Adobe Commerce platforms. This flaw enables unauthenticated attackers to upload arbitrary executable files through the REST API, ultimately leading to full remote code execution.
Since March 19, 2026, the vulnerability has been actively exploited at scale. Over 50 IP addresses have been observed conducting scanning operations, with researchers detecting PolyShell-related compromises in approximately 56.7% of vulnerable online stores.
Attack Mechanics: WebRTC as a Stealth Channel
The skimmer operates as a self-executing script embedded within compromised websites. Upon execution, it initiates a WebRTC peer connection to a hard-coded IP address (202.181.177.177) via UDP port 3479. Through this channel, it retrieves additional malicious JavaScript, which is injected directly into the web page to harvest payment data.
Key characteristics of this technique include:
- Use of WebRTC DataChannels instead of traditional HTTP-based communication
- Dynamic retrieval and execution of malicious scripts
- Direct injection into web pages handling payment information
Security Evasion: Bypassing Traditional Defenses
This approach represents a notable advancement in skimming techniques due to its ability to evade widely deployed security controls. Content Security Policy (CSP), often relied upon to restrict unauthorized outbound connections, does not effectively mitigate this threat.
Even environments with strict CSP configurations that block all unauthorized HTTP traffic remain vulnerable. WebRTC traffic operates over DTLS-encrypted UDP rather than HTTP, rendering it invisible to many network monitoring and inspection tools. As a result, exfiltrated payment data can bypass detection entirely.
Patch Availability and Defensive Measures
Adobe addressed the PolyShell vulnerability in version 2.4.9-beta1, released on March 10, 2026. Immediate patching is critical to prevent exploitation.
To reduce exposure and detect potential compromise, the following measures are strongly recommended:
Restrict access to the pub/media/custom_options/ directory
Conduct thorough scans for web shells, backdoors, and other malicious artifacts
Strategic Implications for E-Commerce Security
The emergence of WebRTC-based skimming highlights a shift toward more sophisticated, protocol-level evasion techniques. Organizations operating e-commerce platforms must expand their defensive strategies beyond HTTP-centric monitoring and incorporate deeper inspection of non-traditional communication channels to effectively counter evolving threats.
