Executive Summary
On 24 March 2026, Sansec Researchers identified a novel payment skimmer leveraging WebRTC data channels rather than conventional web requests to load malicious code and exfiltrate stolen payment data, bypassing traditional security controls. Sansec reported the skimmer targeting ecommerce sites throughout March 2026 by exploiting a PolyShell vulnerability in Magento and Adobe Commerce.
Key Takeaways
- Novel Exfiltration Technique: This is reportedly the first observed instance of WebRTC being used as a skimming channel.
- CSP Bypass: WebRTC connections are reportedly not governed by standard Content Security Policy (CSP) rules, allowing attackers to bypass protections even on hardened sites. Since WebRTC-specific controls are rarely implemented, most sites remain exposed.
- Encrypted Traffic Evades Detection: WebRTC DataChannels reportedly operate over DTLS-encrypted UDP rather than HTTP, meaning network security tools that inspect HTTP traffic will never see the stolen data leave.
- Exploited Vulnerability: The attack reportedly targeted an e-commerce site by exploiting the PolyShell vulnerability in Magento and Adobe Commerce, which allows unauthenticated file upload and code execution. Since 19 March 2026, the flaw has been widely exploited, with scanning from over 50 IPs and attacks affecting more than half of vulnerable stores.
- Stealthy Execution: The skimmer steals a valid CSP nonce from existing scripts to inject its payload, bypassing strict security policies. If that fails, it falls back to alternative execution methods. The payload runs during browser idle time to further reduce detection risk.
Mitigation Options
- Patch Immediately: Prioritize patching the PolyShell vulnerability in Magento and Adobe Commerce environments, given active widespread exploitation.
- Implement WebRTC Controls: Review and restrict WebRTC usage at the network and application level, including blocking unexpected outbound UDP traffic.
- Enhance Network Monitoring: Extend detection capabilities beyond HTTP inspection to cover encrypted UDP/DTLS traffic patterns.
- CSP Hardening: Audit CSP nonce handling to prevent nonce theft and injection by malicious scripts.
- Integrity Monitoring: Deploy server-side file integrity monitoring to detect unauthorized file uploads or script modifications.
Indicators of Compromise
| Type | Value |
| IP Address | 202[.]181[.]177[.]177 |
| Network Artifact | UDP Port 3479 |
| ICE credentials (hardcoded in SDP) | 05l0TstonL9bYAdB04I6x2 |
| ICE credentials (hardcoded in SDP) | JxCvVg2YnHDqAcpPS8mkqC |
| DTLS fingerprint | 9E:BB:2A:E2:C5:B8:DC:0A:8B:A7:85:E1:9F:C4:F8:A8:09:2A:F4:1E:70:30:1B:AF:9F:26:97:BE:E2:6E:E3:1D |
| WebRTC SDP pattern (detection signature) | m=application 3479 UDP/DTLS/SCTP webrtc-datachannel |
| WebRTC SDP pattern (detection signature) | a=sctp-port:5000 |
