Two years after hackers first started targeting local government payment portals, attacks are still going on, with eight cities having had their Click2Gov payment portals compromised in the last month alone, security researchers from Gemini Advisory have revealed in a report shared with ZDNet today.
These new hacks have allowed hackers to get their hands on over 20,000 payment card details belonging to US citizens, which are now being traded on the dark web, the cyber-security firm said.
History of Click2Gov hacks
Click2Gov is a web-based portal sold by Central Square, formerly known as Superion, to US and Canadian municipalities, small and large alike. It comes as a cloud-based offering and in a self-hosted version.
Once up and running, Click2Gov provides a self-service portal where US citizens can pay taxes and bills. Such portals are widespread across the US and are not only used by locals, but also by Americans living across the country to pay bills and taxes for property they own in other cities or states.
In 2017, a hacker group began targeting self-hosted Click2Gov portals that had been lagging behind with software patches.
According to a FireEye report, this hacker group developed two never-before-seen malware strains named Firealarm and Spotlight, specifically for attacks Click2Gov portals. The first malware was capable of sifting through Click2Gov logs to identify and steal payment card data, while the second was designed to intercept card data in real-time, from HTTP traffic.
During 2017 and 2018, the group is believed to have compromised the Click2Gov portals of at least 46 US cities and stolen up to 300,000 payment card details, according to reports from Risk Based Security [1, 2] and Gemini Advisory. Once sold on carding forums, Gemini Advisory researchers believe the stolen card details netted hackers over $1.7 million in revenue.
New attacks last month
But after the initial attacks, Central Square (then named Superion) did its due diligence and released security updates to address the various vulnerabilities hackers were using in previous attacks.
But in a report shared with ZDNet today, Gemini Advisory said that hackers have continued to breach new Click2Gov portals. The company said it recently discovered a new 20,000 batch of payment card details that it tracked to compromises of Click2Gov portals at eight US cities.
All eight were running up-to-date Click2Gov versions, and all hacks took place last month, August 2019. In addition, six cities had also suffered Click2Gov compromises in the first wave of attacks, in 2017 and 2018.
New victims: Pocatello, ID; Broken Arrow, OK. Re-compromised victims: Palm Bay, FL; Deerfield Beach, FL; Milton, FL; Coral Fields, FL; Bakersfield, CA; Ames, IA.
Currently, Gemini Advisory can't say how the hackers got in. For the six towns that had been compromised in the past, it may be possible that hackers left a hidden backdoor during the first hack, which they used to re-gain access to Click2Gov systems this summer.
However, it remains unclear how hackers gained entry to the Click2Gov portals of the two other cities that weren't compromised before.
One could point the finger at a new Click2Gov vulnerability, but things aren't that easy. Hackers could have very easily used spear-phishing, password spraying, or credential stuffing attacks to gain access to an administrator's account. Blaming the attacks on a new vulnerability may not be accurate.
A Central Square spokesperson did not return a request for comment before this article's publication seeking more information from the company's side.
US cities notified
"Gemini attempted to reach out to several of these eight towns about the second wave of breaches; while most did not respond, those that did confirm a breach in their Click2Gov utility payment portals," the company said today in its report.
"Certain towns that did not respond to Gemini's outreach have taken their Click2Gov portals offline shortly after we attempted to contact them."
Everyone who paid taxes or bills on the Click2Gov self-service portals of the eight aforementioned cities are now advised to review payment card logs and request new cards from their banks.