Executive Summary
In March 2026, cybersecurity researchers identified a novel web skimming attack targeting e-commerce platforms. This attack leverages WebRTC data channels to exfiltrate payment information, effectively bypassing traditional security measures such as Content Security Policy (CSP) controls. The skimmer, implemented in JavaScript, establishes a direct, encrypted communication channel with a command-and-control server, facilitating the stealthy transmission of stolen credit card data. This method allows attackers to circumvent standard detection mechanisms, posing a significant threat to online retailers and their customers.
The emergence of this WebRTC-based skimming technique underscores the evolving sophistication of cyber threats in the e-commerce sector. As attackers develop more advanced methods to exploit web technologies, it is imperative for organizations to enhance their security protocols and monitoring systems to detect and mitigate such innovative attack vectors.
Why This Matters Now
The adoption of WebRTC for data exfiltration in web skimming attacks represents a significant evolution in cybercriminal tactics, highlighting the need for e-commerce platforms to reassess and strengthen their security measures to protect sensitive customer information.
Attack Path Analysis
An attacker exploited the PolyShell vulnerability in Magento to upload a malicious WebRTC-based skimmer, which established a peer-to-peer connection to exfiltrate payment data, bypassing traditional security controls.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited the PolyShell vulnerability in Magento Open Source and Adobe Commerce to upload a malicious WebRTC-based skimmer.
Related CVEs
CVE-2026-2757
CVSS 9.8Incorrect boundary conditions in the WebRTC Audio/Video component in Firefox and Thunderbird versions below 148 allow unauthorized actions or compromise system security.
Affected Products:
Mozilla Firefox – < 148
Mozilla Firefox ESR – < 115.33, < 140.8
Mozilla Thunderbird – < 148, < 140.8
Exploit Status:
no public exploitCVE-2025-7657
CVSS 8.8Use-after-free vulnerability in Google Chrome's WebRTC component prior to version 138.0.7204.157 allows remote attackers to exploit heap corruption via a crafted HTML page.
Affected Products:
Google Chrome – < 138.0.7204.157
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Browser Session Hijacking
Web Service
Application Layer Protocol: Web Protocols
Archive Collected Data: Archive via Utility
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that security policies and operational procedures for managing payment card data are documented, in use, and known to all affected parties.
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Data Security
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Retail Industry
WebRTC skimmers bypassing CSP controls directly target e-commerce payment processes, requiring enhanced egress security and real-time threat detection capabilities.
Financial Services
Payment data exfiltration through WebRTC channels threatens PCI compliance, demanding zero trust segmentation and encrypted traffic monitoring solutions.
Computer Software/Engineering
E-commerce platforms vulnerable to WebRTC payload delivery need inline IPS and cloud native security fabric implementations for comprehensive protection.
Internet
Web-based payment processors face CSP bypass threats requiring multicloud visibility, anomaly detection, and kubernetes security for distributed application protection.
Sources
- WebRTC Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Siteshttps://thehackernews.com/2026/03/webrtc-skimmer-bypasses-csp-to-steal.htmlVerified
- Huge numbers of web stores are facing attack from this dangerous new malwarehttps://www.techradar.com/pro/security/huge-numbers-of-web-stores-are-facing-attack-from-this-dangerous-new-malwareVerified
- CVE-2026-2757: Firefox <148 Boundary Condition Bug in WebRTC AVhttps://stack.watch/vuln/CVE-2026-2757/Verified
- CVE-2025-7657: High Severity Vulnerability in Google Chrome’s WebRTC Componenthttps://www.ameeba.com/blog/cve-2025-7657-high-severity-vulnerability-in-google-chrome-s-webrtc-component/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to exploit vulnerabilities, move laterally, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the PolyShell vulnerability may have been constrained, reducing the likelihood of successful initial compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited, reducing the scope of unauthorized access.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the environment could have been restricted, reducing the spread of the skimmer.
Control: Multicloud Visibility & Control
Mitigation: The attacker's command and control communications could have been detected and disrupted, reducing their ability to manage the malware.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts could have been blocked, reducing the risk of data loss.
The overall impact of the attack could have been mitigated, reducing financial loss and reputational damage.
Impact at a Glance
Affected Business Functions
- E-commerce Transactions
- Customer Data Management
Estimated downtime: 7 days
Estimated loss: $500,000
Payment card information of customers
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict unauthorized lateral movement within the network.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Multicloud Visibility & Control to detect and respond to anomalous interactions and suspicious automation.
- • Apply Inline IPS (Suricata) to identify and block known exploit patterns and malicious payloads.
- • Regularly update and patch systems to mitigate known vulnerabilities like PolyShell.
