Researchers found a new skimmer using WebRTC to steal and send payment data, bypassing traditional security controls.Sansec researchers discovered a new payment skimmer that uses WebRTC data channels instead of typical web requests to load malicious code and exfiltrate stolen payment data. “What sets this attack apart is the skimmer itself. Instead of the usual HTTP requests or image beacons, this malware uses WebRTC DataChannels to load its payload and exfiltrate stolen payment data.” reported Sansec. “This is the first time Sansec has observed WebRTC used as a skimming channel.”This technique helps it evade standard security defenses, making detection more difficult compared to traditional skimmers. The researchers pointed out that WebRTC connections are not controlled by standard Content Security Policy rules, allowing attackers to bypass protections even on secure sites. Since support for WebRTC-specific controls is limited and rarely used, most sites remain exposed.Additionally, WebRTC uses encrypted UDP traffic instead of HTTP, making it harder for network security tools to detect stolen data being transmitted.The attack targeted a car maker’s e-commerce site by exploiting the PolyShell vulnerability in Magento and Adobe Commerce, which allows attackers to upload malicious files and execute code without authentication. Since March 19, 2026, the flaw has been widely exploited, with scanning from over 50 IPs and attacks affecting more than half of vulnerable stores.The skimmer is a self-executing script that creates a WebRTC connection to a hardcoded attacker server (“202.181.177[.]177” over UDP port 3479), bypassing traditional web controls. It forges the entire connection setup locally, avoiding the need for a signaling server, and directly connects to the attacker’s IP over an encrypted DataChannel.Once connected, it receives malicious JavaScript in chunks, stores it, and executes it when the connection closes or after a short delay. To evade defenses, it steals a valid CSP nonce from existing scripts and uses it to inject the payload, bypassing strict security policies. If that fails, it falls back to other execution methods.The payload runs quietly during browser idle time, reducing detection risk, and enables attackers to inject code into the page to steal sensitive data such as payment information.“The traffic itself is also harder to detect. WebRTC DataChannels run over DTLS-encrypted UDP, not HTTP. Network security tools that inspect HTTP traffic will never see the stolen data leave.” concludes the report that also provides Indicators of Compromise (IoCs).Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, skimmer)