WebRTC: the new skimmer exfiltration channel
Security researchers discovered a new payment skimmer that uses WebRTC data channels to receive its payload and exfiltrate card data. This technique effectively bypasses traditional security controls.
How it works
- Loader injection: compromised e-commerce site gets a minimal script on payment pages
- Payload via WebRTC: instead of HTTP (detectable by WAF), the loader establishes a WebRTC DataChannel to a C2 server
- Data capture: skimmer intercepts card number, expiry, CVV, cardholder name
- Exfiltration via WebRTC: stolen data sent back through the encrypted WebRTC channel, not HTTP
Why classic defenses fail
| Defense | Effectiveness |
|---|---|
| WAF | Ineffective: payload doesn’t use HTTP |
| CSP | Partially effective if connect-src is restrictive |
| HTTP monitoring | Ineffective: exfiltration via WebRTC |
| Static script analysis | Partially: loader is minimal |
Detection
- Monitor unexpected WebRTC connections: payment pages have no reason to establish WebRTC connections
- Strict CSP on payment pages: limit connection destinations via
connect-src - Integrity verification: regularly compare payment page DOM against a known baseline
- Behavioral monitoring: watch for unusual JS events on payment pages (RTCPeerConnection creation, input field listeners)
Recommendations
Strict CSP on all payment pages, SRI on all third-party scripts, WebRTC monitoring alerts on transactional pages, regular front-end code audits, and payment page isolation on a dedicated subdomain.
Recommended reading
These are affiliate links. If you make a purchase through these links, we may earn a commission at no extra cost to you.
- CompTIA Security+ SY0-701: covers web application security and detection techniques.
- Cybersecurity Essentials: solid introduction to e-commerce security.
Sources
- Payment Skimmer Using WebRTC - The Hacker News
Advertisement