Hackers found a security hole that no one thought to close.
Cybercriminals have discovered a new way to steal bank card data that bypasses the usual security mechanisms of online stores. This time, the target was an automaker with a turnover of over $100 billion, and the malicious code turned out to be far more sophisticated than typical skimmers .
Sansec discovered a malicious script that collects payment data from websites and transmits it to attackers in an unusual way. Instead of standard web protocol requests or hidden images, the attackers used WebRTC technology , commonly used for video conferencing directly in the browser.
The key feature of the attack is the way the malicious payload and stolen data are transmitted. The script establishes a direct connection to the attackers' server via WebRTC and receives additional code from there. The same channel is then used to send the stolen information. This scheme has never been observed before.
The attack bypasses the content security policy that limits browser network requests. WebRTC operates outside these restrictions, so even strictly configured websites remain vulnerable. Detection is further complicated because the traffic is transmitted encrypted over a protocol unrelated to regular web requests. Security tools that analyze only web traffic simply don't detect the leak.
The malicious code itself is launched automatically when the page loads. It establishes a connection to a pre-defined IP address, obtains code fragments, and assembles them into a single script. The script is then injected into the page, with the attackers carefully designed to bypass browser security mechanisms. For example, the malicious code searches for special tags in legitimate page scripts and uses them to bypass code execution restrictions.
Judging by the timing of the attack, the attackers were able to access the site through the PolyShell vulnerability. Widespread exploitation of this issue began on March 19, and it currently affects more than half of vulnerable online stores. The vulnerability allows files to be uploaded to the server without authorization, and a patch for production systems is still unavailable.
The attack on the automaker was part of a broader wave of hacks. Over the past two months, malicious skimmers have been found at at least five major companies, including one of the largest US banks and an international supermarket chain.
Cybercriminals have discovered a new way to steal bank card data that bypasses the usual security mechanisms of online stores. This time, the target was an automaker with a turnover of over $100 billion, and the malicious code turned out to be far more sophisticated than typical skimmers .
Sansec discovered a malicious script that collects payment data from websites and transmits it to attackers in an unusual way. Instead of standard web protocol requests or hidden images, the attackers used WebRTC technology , commonly used for video conferencing directly in the browser.
The key feature of the attack is the way the malicious payload and stolen data are transmitted. The script establishes a direct connection to the attackers' server via WebRTC and receives additional code from there. The same channel is then used to send the stolen information. This scheme has never been observed before.
The attack bypasses the content security policy that limits browser network requests. WebRTC operates outside these restrictions, so even strictly configured websites remain vulnerable. Detection is further complicated because the traffic is transmitted encrypted over a protocol unrelated to regular web requests. Security tools that analyze only web traffic simply don't detect the leak.
The malicious code itself is launched automatically when the page loads. It establishes a connection to a pre-defined IP address, obtains code fragments, and assembles them into a single script. The script is then injected into the page, with the attackers carefully designed to bypass browser security mechanisms. For example, the malicious code searches for special tags in legitimate page scripts and uses them to bypass code execution restrictions.
Judging by the timing of the attack, the attackers were able to access the site through the PolyShell vulnerability. Widespread exploitation of this issue began on March 19, and it currently affects more than half of vulnerable online stores. The vulnerability allows files to be uploaded to the server without authorization, and a patch for production systems is still unavailable.
The attack on the automaker was part of a broader wave of hacks. Over the past two months, malicious skimmers have been found at at least five major companies, including one of the largest US banks and an international supermarket chain.
