Full Report
Cybersecurity researchers have discovered a new payment skimmer that uses WebRTC data channels as a means to receive payloads and exfiltrate data, effectively bypassing security controls. "Instead of the usual HTTP requests or image beacons, this malware uses WebRTC data channels to load its payload and exfiltrate stolen payment data," Sansec said in a report published this week. The attack,
Analysis Summary
# Tool/Technique: WebRTC-Based Payment Skimmer
## Overview
This technique represents an evolution in Magecart-style digital skimming. It utilizes the **WebRTC (Web Real-Time Communication)** protocol's data channels to bypass traditional security monitoring tools—such as Content Security Policy (CSP) and automated scanners—which typically focus on monitoring standard HTTP/HTTPS traffic (GET/POST requests) and WebSocket connections.
## Technical Details
- **Type**: Malware / Exfiltration Technique
- **Platform**: Web Browsers (E-commerce platforms)
- **Capabilities**: Stealing credit card data, bypassing CSP, covert payload delivery, and stealthy data exfiltration via peer-to-peer (P2P) channels.
- **First Seen**: Reported in May 2024 by Sansec.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (via injected scripts on compromised e-commerce sites).
- **TA0005 - Defense Evasion**
- T1564 - Hide Artifacts (using WebRTC to bypass HTTP-based monitoring).
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (using WebRTC DataChannels).
- T1567 - Exfiltration Over Web Service.
## Functionality
### Core Capabilities
- **Digital Skimming**: Injects malicious JavaScript into checkout pages to capture sensitive user input (names, credit card numbers, CVVs).
- **WebRTC DataChannel Communication**: Establishes a peer-to-peer connection between the victim's browser and the attacker's infrastructure.
- **Bypassing CSP**: Many Content Security Policies do not explicitly restrict the `connect-src` or `webrtc` related directives effectively against DataChannels, allowing the skimmer to communicate without triggering standard alerts.
### Advanced Features
- **In-Memory Payload Loading**: The skimmer can receive its secondary malicious payload via the WebRTC channel, ensuring the initial injected snippet remains small and less likely to be flagged by static analysis.
- **Protocol Obfuscation**: By avoiding standard HTTP requests or image beacons (pixel tracking), the malware avoids detection by Network-side Firewalls and Browser Developer Tools network logs that users or researchers might monitor.
## Indicators of Compromise
- **File Hashes**: *Not specifically provided in the summary snippet; refer to Sansec report for latest hashes.*
- **File Names**: Often masquerades as legitimate third-party scripts (e.g., Google Analytics, Facebook Pixel).
- **Network Indicators**:
- Peer-to-peer connection attempts via `RTCDataChannel`.
- Use of STUN/TURN servers to facilitate NAT traversal (e.g., `stun[:]l.google[.]com[:]19302`).
- **Behavioral Indicators**:
- `new RTCPeerConnection()` calls in checkout page scripts.
- Creation of `createDataChannel` instances in suspicious JavaScript contexts.
## Associated Threat Actors
- **Magecart Groups**: Characterized by the targeting of e-commerce checkout flows.
## Detection Methods
- **Behavioral Detection**: Monitor for the initialization of WebRTC connections on sensitive pages (like `/checkout` or `/payment`) where real-time video/audio communication is not expected.
- **Content Security Policy (CSP) Monitoring**: Implementing strict `connect-src` policies. However, note that WebRTC can sometimes circumvent basic CSPs depending on browser implementation and the use of STUN servers.
- **JavaScript Integrity**: Use Subresource Integrity (SRI) to ensure third-party scripts have not been tampered with.
## Mitigation Strategies
- **Content Security Policy (CSP)**: Implement a strict CSP that limits `connect-src` to known-good domains.
- **Monitoring Changes**: Use file integrity monitoring for web server assets to detect unauthorized script injections.
- **Disable WebRTC**: In environments where WebRTC is not required for business logic, it can be disabled via browser configurations or administrative templates.
## Related Tools/Techniques
- **Magecart**: The general category of web-based payment interceptors.
- **WebSocket Skimmers**: A similar technique that uses WebSockets instead of standard HTTP to exfiltrate data.
- **IDN Homograph Attacks**: Often used to host the malicious domains used in the STUN/TURN or signaling phase.