WebRTC payment skimmer
Malware Activity
Summary
Hide ▲
Show ▼
A new payment skimmer has been identified using WebRTC data channels to load payloads and steal payment data from e-commerce sites, bypassing common security controls. The behavior matters because it avoids HTTP-only inspection and can slip past Content Security Policy (CSP) protections. The activity was published on 2026-03-26 and is designed to exfiltrate stolen card data from online checkout pages.
Related Happenings
Magecart Stripe and Google Tag Manager card-skimming campaign
Campaign
H score36
First: 04.06.2026 23:47
Last: 04.06.2026 23:47
Sources 1
About this happening:
The **Magecart** campaign is abusing **Stripe's API infrastructure** and **Google Tag Manager** containers to steal checkout data from **Magento/Adobe Commerce** stores. The skimm...
Magecart Stripe and Google Tag Manager card-skimming campaign
CampaignAbout this happening: The **Magecart** campaign is abusing **Stripe's API infrastructure** and **Google Tag Manager** containers to steal checkout data from **Magento/Adobe Commerce** stores. The skimm...
Funnel Builder plugin WordPress arbitrary JavaScript injection actively exploited security flaw
Vulnerability
H score72
First: 16.05.2026 18:20
Last: 16.05.2026 18:20
Sources 1
About this happening:
**Funnel Builder** for **WordPress** is under **active exploitation** for arbitrary JavaScript injection into **WooCommerce checkout pages**, creating payment-skimming risk across...
Funnel Builder plugin WordPress arbitrary JavaScript injection actively exploited security flaw
VulnerabilityAbout this happening: **Funnel Builder** for **WordPress** is under **active exploitation** for arbitrary JavaScript injection into **WooCommerce checkout pages**, creating payment-skimming risk across...
Taboola pixel runtime redirect chain to Temu tracking endpoint on logged-in banking pages
Technical Analysis
H score28
First: 16.04.2026 13:30
Last: 16.04.2026 13:30
Sources 1
About this happening:
A **February 2026 audit** found a **bank-approved Taboola pixel** on logged-in banking pages that redirected browsers to a **Temu tracking endpoint**, exposing a **first-hop trust...
Taboola pixel runtime redirect chain to Temu tracking endpoint on logged-in banking pages
Technical AnalysisAbout this happening: A **February 2026 audit** found a **bank-approved Taboola pixel** on logged-in banking pages that redirected browsers to a **Temu tracking endpoint**, exposing a **first-hop trust...
Magento checkout skimmer campaign targeting nearly 100 stores
Campaign
H score31
First: 09.04.2026 01:34
Last: 09.04.2026 01:34
Sources 1
About this happening:
A **Magento** checkout skimmer campaign is compromising **nearly 100 online stores** and stealing payment data at the point of sale, putting shoppers’ card details at immediate ri...
Magento checkout skimmer campaign targeting nearly 100 stores
CampaignAbout this happening: A **Magento** checkout skimmer campaign is compromising **nearly 100 online stores** and stealing payment data at the point of sale, putting shoppers’ card details at immediate ri...
Magento Open Source v2 and Adobe Commerce PolyShell mass exploitation
Exploitation Wave
H score34
First: 25.03.2026 23:40
Last: 25.03.2026 23:40
Sources 1
About this happening:
**PolyShell** exploitation is now underway against **Magento Open Source v2** and **Adobe Commerce**, with attackers reaching **56.7%** of vulnerable stores. The surge began on **...
Magento Open Source v2 and Adobe Commerce PolyShell mass exploitation
Exploitation WaveAbout this happening: **PolyShell** exploitation is now underway against **Magento Open Source v2** and **Adobe Commerce**, with attackers reaching **56.7%** of vulnerable stores. The surge began on **...
Latest development: 09.04.2026 01:34
Sansec reported a new campaign against nearly 100 Magento online stores in which attackers hide a credit card skimmer inside a 1x1-pixel SVG element with an onload handler, display a fake Secure Checkout overlay on checkout, validate submitted card data with Luhn, and exfiltrate payment details to attacker infrastructure; the researchers also identified six exfiltration domains hosted by IncogNet LLC (AS40663).
Timeline
-
26.03.2026 08:53 1 articles · 3mo ago
Adobe releases PolyShell fix in 2.4.9-beta1
Mitigation Patch UpdateAdobe released a fix for PolyShell in version 2.4.9-beta1 on March 10, 2026, addressing a vulnerability in Magento Open Source and Adobe Commerce that allows unauthenticated attackers to upload arbitrary executables via the REST API and achieve code execution.
Show sources
- WebRTC Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Sites — thehackernews.com — 26.03.2026 08:53
-
26.03.2026 08:53 1 articles · 3mo ago
PolyShell enters mass exploitation
Exploitation ObservedPolyShell came under mass exploitation beginning March 19, 2026, with more than 50 IP addresses participating in scanning activity against vulnerable stores running Magento Open Source and Adobe Commerce.
Show sources
- WebRTC Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Sites — thehackernews.com — 26.03.2026 08:53
-
26.03.2026 08:53 2 articles · 3mo ago
Sansec discloses a WebRTC payment skimmer on a car maker site
Initial DisclosureSansec disclosed a new payment skimmer targeting a car maker's e-commerce website that uses WebRTC data channels to load payloads and exfiltrate stolen payment data. The skimmer establishes a WebRTC peer connection to hard-coded IP address 202.181.177[.]177 over UDP port 3479, retrieves JavaScript code for page injection, and bypasses Content Security Policy (CSP) and HTTP-only inspection.
Show sources
- WebRTC Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Sites — thehackernews.com — 26.03.2026 08:53
- WebRTC Skimmer Bypasses CSP to Steal Payment Data from E-Commerce Sites — thehackernews.com — 26.03.2026 08:53