Sansec researchers have spotted a new, previously undocumented method of payment skimming that leverages the WebRTC DataChannels technology for real-time peer-to-peer communication to receive malicious code and exfiltrate stolen payment data.
Unlike traditional skimmers that rely on HTTP requests or image beacons, the observed malware operates outside conventional web traffic. By using WebRTC, the attackers bypass common defenses such as Content Security Policy (CSP) and HTTP-based monitoring tools. According to Sansec, this is the first documented case of WebRTC being used as a data exfiltration channel in a payment skimming attack.
The malware establishes a direct WebRTC peer connection to an attacker-controlled server using a hardcoded IP address and credentials, without the need for a signaling server. Once connected, the attacker sends additional malicious JavaScript through an encrypted DataChannel. This payload is then executed on the victim’s browser after being reassembled.
Because DataChannels run over DTLS-encrypted UDP rather than HTTP, most network inspection tools cannot see the data being sent. Additionally, current CSP rules do not restrict WebRTC connections, leaving even well-secured websites vulnerable.
The campaign has already impacted several high-profile targets, including a major car manufacturer, a top-three US bank, and a top-ten global supermarket chain. In total, Sansec reports discovering skimmers on five multi-billion-dollar companies over the past two months.
Researchers believe the attacks are linked to a widespread exploitation campaign targeting a vulnerability known as “PolyShell.” First flagged by Sansec last week, the flaw allows unauthenticated file uploads via a store’s REST API. Since mass exploitation began on March 19, the firm has observed attacks on more than 56% of vulnerable online stores. No official patch is currently available.
Sansec says it has notified the affected car manufacturer but has not yet received a response. In the meantime, online retailers are strongly recommended to audit their systems for PolyShell vulnerabilities and keep an eye out for unusual WebRTC activity.