Hackers swipe card numbers from local government payment portals

FireEye report confirms previous rumors of Click2Gov portal hacks.
Written by Catalin Cimpanu, Contributor

A previously unknown hacker group is behind a mounting number of breaches that have been reported by local governments across the US.

In a report published today, US cyber-security vendor FireEye has revealed that this yet-to-be-identified hacker group has been breaking into Click2Gov servers and planting malware that stole payment card details.

Click2Gov is a popular self-hosted payments solution, a product of US software supplier Superion. It is sold primarily to US local governments, and you can find a Click2Gov server installed anywhere from small towns to large metropolitan areas, where it's used to handle payments for utility bills, permits, fines, and more.

Also: UK watchdog has not issued any GDPR data breach-related fines yet

FireEye says this new hacker group has been attacking Click2Gov portals for almost a year. The company's investigators believe hackers are using one or more vulnerabilities in one of Click2Gov's components --the Oracle WebLogic Java EE application server-- to gain a foothold and install a web shell named SJavaWebManage on hacked portals.

Forensic evidence suggests the hackers are using this web shell to turn on Click2Gov's debug mode, which, in turn, starts logging payment transactions, card details included.

Hackers then use the same shell to upload two never-before-seen malware strains --FIREALARM and SPOTLIGHT, on the same server. The former can parse Click2Gov logs for payment card data, while the latter can detect and extract payment details from HTTP network traffic.

CNET: State Department email data breach exposes employee data

Today's FireEye report is nothing new but a mere confirmation and breakdown of the attackers' methods. There have been numerous media reports that Click2Gov portals have been getting hacked left and right.

Superion itself released a statement in October 2017 about suspicious activity on a number of customer portals, claiming it was investigating the incidents.

In June, Risk Based Security, another cyber-security firm, published a report about breaches at nine US cities, which they say, they tracked to Click2Gov portals.

Superion didn't answer the accusations, but the company did release a Click2Gov patch a day after Risk Based Security's report, on June 15.

After FireEye's report today, Risk Based Security published a second report, with another nine cities that reported Click2Gov security incident.

TechRepublic: Why 31% of data breaches lead to employees getting fired

FireEye didn't release an official list of Click2Gov portals where the company identified the hackers' malware, but according to Risk Based Security, town municipalities appear to be doing their duty and notifying affected users.

As for the hackers, FireEye claims that "while it is also possible the attack was conducted by a single individual, FireEye assesses, with moderate confidence, that a team was likely involved in this campaign."

The company bases its assessment on the large number of skills and the time it would have been needed to write all the malware and pull off all the hacks, something very difficult for one individual alone.

News of the Click2Gov hacks comes days after a similar incident has been reported affecting the GovPayNow portal.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Five computer security questions you must be able to answer right now

If you can't answer these basic questions, your security could be at risk.

Critical infrastructure will have to operate if there's malware on it or not

Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.

Ordinary Wi-Fi devices can be used to detect suspicious luggage, bombs, weapons

Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.

Related stories:

Editorial standards