Key Takeaway
Sansec researchers have uncovered a payment skimmer malware that uses WebRTC data channels to deliver payloads and exfiltrate payment data, bypassing traditional HTTP-based detection. The malware targets e-commerce sites, exploiting WebRTC's legitimate communication channels to evade security controls and persist on checkout pages.
Security researchers at Sansec have identified a novel payment skimmer that leverages WebRTC data channels to both receive malicious payloads and exfiltrate stolen payment information. This technique diverges from traditional skimmer malware that typically relies on HTTP requests or image beacon methods for communication, enabling it to bypass common web security controls.
The malware operates by establishing WebRTC data channel connections within compromised e-commerce websites. Once established, these channels allow bidirectional communication between the attacker’s infrastructure and the infected site, facilitating stealthy payload updates and continuous exfiltration of payment card data captured during customer transactions.
This method exploits the peer-to-peer communication capabilities inherent to WebRTC (Web Real-Time Communication), a protocol designed for direct browser-to-browser communication. By utilizing data channels, the skimmer avoids detection mechanisms that monitor standard HTTP traffic, making it challenging for traditional network-based intrusion detection systems to flag malicious activity.
Sansec’s report emphasizes that the malware targets online retailers, particularly those using platforms vulnerable to script injection attacks or supply chain compromises. The malware persists on the checkout pages, intercepting payment details entered by customers. It then transmits the stolen data through encrypted WebRTC channels to the attacker-controlled command-and-control (C2) servers.
The use of WebRTC for C2 communication also complicates traffic analysis, as these channels are often whitelisted or overlooked by security appliances due to their legitimate use cases in web applications. This skimmer’s capability to dynamically load payloads via WebRTC allows attackers to update malicious code without triggering changes detectable by static file integrity monitoring.
Affected platforms primarily include e-commerce websites running JavaScript-based payment forms, regardless of the underlying content management system or platform. Cases linked to this malware have been reported across various industries, including retail and hospitality.
Detection methods recommended by Sansec involve monitoring for anomalous WebRTC data channel activity within web applications, especially during checkout processes. Security teams should deploy behavioral analytics tools capable of identifying unusual peer-to-peer connections originating from browser sessions.
Removal guidance includes auditing and sanitizing all third-party scripts and dependencies integrated into the website. Employ Content Security Policy (CSP) headers to restrict unauthorized script execution and regularly scan for unauthorized JavaScript injections. Updating web application firewalls (WAFs) to recognize WebRTC misuse patterns can also aid in mitigation.
This discovery underscores the evolving tactics of web skimmer malware and the necessity for advanced detection strategies that encompass non-traditional communication protocols like WebRTC.
Original Source
The Hacker News
Related Articles
Horabot Dropper Delivers Casbaneiro Banking Trojan to Latin American and European Targets in Brazilian eCrime Campaign
The Horabot dropper, attributed to Brazilian cybercrime group Augmented Marauder (also tracked as Water Saci by Trend Micro), delivers the Casbaneiro banking trojan to Spanish-speaking users across Latin America and Europe via targeted phishing campaigns. Casbaneiro performs credential harvesting through overlay attacks, clipboard hijacking, and keylogging, and abuses compromised Outlook accounts to self-propagate. SOC teams should implement scheduled task creation detections, block newly registered TLD outbound connections, and immediately rotate credentials on any confirmed infected host.
REF1695: Fake Installers Deliver RATs and Cryptominers in CPA Fraud Operation Active Since November 2023
REF1695 is a financially motivated campaign tracked by Elastic Security Labs that has deployed RATs and cryptocurrency miners via fake software installers since November 2023. The operation monetizes infections through both passive cryptomining and CPA fraud, redirecting victims to content locker pages disguised as software registration flows. Windows endpoints are the confirmed target, and Elastic has released EQL detection rules to support identification and response.
Automated Service Enables Persistent Information-Stealing Social Engineering Attacks
A new cybercrime service automates persistent social engineering attacks aimed at stealing sensitive information. Targeting primarily Windows and mobile platforms, the service uses phishing techniques combined with encrypted exfiltration and adaptive persistence. Detection relies on monitoring phishing indicators and network anomalies, while removal requires credential resets and endpoint remediation.
NoVoice Android Malware Exploits Known Vulnerabilities to Gain Root Access, Found in 50+ Google Play Apps
NoVoice is a newly discovered Android malware exploiting known privilege escalation vulnerabilities to gain root access. Distributed through over 50 malicious apps on Google Play with 2.3 million downloads, it collects user data and communicates with encrypted C2 servers. Detection requires monitoring root-level activity and network anomalies, while removal demands a factory reset and patching affected devices.