Just when we thought e-commerce websites' checkout pages were securely protected, hackers have already moved beyond traditional communication protocols. Cybersecurity company Sansec recently...Issue a warningThe report points out that a new type of web skimming attack is spreading globally. Unlike previous malicious scripts, this attack is the first to utilize the peer-to-peer WebRTC (Web Real-Time Communication) mechanism to skim credit card information, successfully bypassing existing network monitoring tools and content security policies (CSPs). In the past two months, five multinational giants with market capitalizations of several billion dollars have been victimized, including the top three U.S. banks and a car manufacturer with a market capitalization of over 100 billion dollars.
Why WebRTC? A perfect cloak of invisibility to bypass CSPs and HTTP monitoring.
Past Magecart online or card skimming attacks mostly involved implanting malicious JavaScript and then sending the stolen data back to the hacker's C2 server via HTTP requests. However, with the widespread deployment of Content Security Policies (CSPs) and various Web Application Firewalls (WAFs) by enterprises, the success rate of this method is declining.
But Sansec researchers discovered that the hackers cleverly switched to the WebRTC DataChannel this time:
• Non-traditional traffic:WebRTC uses UDP communication encrypted with DTLS, instead of traditional HTTP connections. Since most enterprise network security tools only perform deep packet inspection on HTTP traffic, WebRTC traffic is essentially invisible.
• CSP's lawless zone:WebRTC is a pairing connection mechanism, and its operation currently operates on the fringes of mainstream CSP specifications. Although the Chrome browser has begun testing support for specific CSP commands to manage WebRTC, due to the lack of industry standardization, almost no websites actually deploy it, allowing hackers to easily bypass defenses.
Combining PolyShell vulnerabilities: The covert tactics from intrusion to fund theft
This sophisticated attack was not without precedent. Sansec points out that the breach through which hackers infiltrated the e-commerce websites was most likely the recently rampant PolyShell vulnerability. This vulnerability has resulted in malicious PHP code being uploaded to nearly 60% of Adobe Commerce and Magento e-commerce platforms.
During the actual attack execution phase, the hackers demonstrated extremely high levels of stealth skills:
• Lightweight loading:In the initial stage, only a very lightweight JavaScript loader is embedded, and the basic CSP limitations are bypassed by reusing existing script nonces or using unsafe-eval.
• Delayed execution (requestIdleCallback):To reduce the chance of being detected by behavior detection mechanisms, malware deliberately exploits the browser's delayed execution mechanism, secretly launching only when system resources are idle.
• Silent theft of funds:Once the WebRTC connection is established and the second-stage malicious payload is received, the program will lurk on the checkout page, intercept the user's credit card number, expiration date, and security code, and directly package and send them to the hacker's server via UDP communication.
Analysis of viewpoints
The new WebRTC skimming attack revealed by Sansec represents a significant "technical upgrade" to Web Skimming online skimming attack techniques.
In the past, defense against e-commerce skimming attacks typically relied on CSPs to "block unauthorized external network connections" and "monitor abnormal HTTP transmissions." However, this time, the hackers directly exploited the underlying communication protocol, using WebRTC technology—originally designed for video calls and P2P file transfers—to send malicious data embedded in encrypted UDP packets. It's like the malicious program has already escaped in a helicopter (WebRTC) while the protection mechanism is still inspecting a regular highway (HTTP).
This is a serious warning for enterprise IT and cybersecurity teams. Especially for e-commerce platforms using Adobe Commerce and Magento, in addition to patching PolyShell vulnerabilities as soon as possible, they must also re-examine whether their network protection mechanisms have the ability to parse non-HTTP traffic. With car manufacturers and top banks, each worth hundreds of billions of dollars, falling victim to this, it shows that this is no longer indiscriminate phishing against small and medium-sized e-commerce companies, but a sophisticated and targeted attack against high-value targets.
