WebRTC-based Payment Skimmer Bypasses CSP Protections
🔒 Sansec researchers uncovered a novel payment skimmer that uses WebRTC data channels to load malicious payloads and exfiltrate card data, effectively sidestepping Content Security Policy protections. The skimmer establishes a peer connection to a hard-coded IP (202.181.177[.]177) over UDP port 3479, retrieves JavaScript, and injects it into the checkout page to capture payment details. The campaign was enabled by the PolyShell flaw in Magento, which allows unauthenticated executable uploads. Because WebRTC traffic runs over DTLS-encrypted UDP rather than HTTP, standard HTTP-based monitoring and CSP enforcement may fail to detect or block the theft.
