[BreachExchange] 8 U.S. City Websites Targeted in Magecart Attacks

Destry Winant destry at riskbasedsecurity.com
Tue Jun 30 10:34:51 EDT 2020


Researchers believe that Click2Gov, municipal payment software, may be
at the heart of this most recent government security incident.

Researchers are warning that the websites of eight U.S. cities –
across three states – have been compromised with payment card-stealing
Magecart skimmers. The websites all utilize Click2Gov municipality
payment software, which was previously involved in data breaches.

Unlike other skimmers, which grab data on various types of payment
forms on websites, the skimmer in this incident appears to only target
website payment forms by Click2Gov. Click2Gov software is used in
self-service bill-paying portals used by utilities and community
development organizations for things such as paying parking tickets

“The attack occurs when victims make an online payment on the
compromised Click2Gov website,” said researchers with Trend Micro in a
Friday analysis. “JavaScript code was injected into the payment page
which loads a credit card skimmer when victims browse the payment

The skimmer is extremely simple; no obfuscation or anti-debugging
techniques were used. It hooks the “submit” event of the payment form,
so that when a victim clicks the button to submit their payment
information, the skimmer will grab the information from the selected
columns inside the payment form and immediately send the collected
information to a remote server via a HTTP POST request.

Cybercriminals targeted the credit-card information (including card
number, expiration date and CVV), name and contact address for the
website users.

“We were able to identify two of the exfiltration servers used in the
attack,” said researchers. “Both hosted the actual JavaScript skimmer,
as well as a .JSP file used to receive the exfiltrated data. One of
the servers was used for three sites, while the other server used for
the remaining five sites. The two skimmers used are identical, save
for the change in the hostname of the exfiltration servers.”

When asked if any of the skimmers have been removed from the websites,
researchers told Threatpost, “We don’t have access to that
information.” However, they believe that these attacks started on
April 10 of this year, and are still active.

When asked which city websites were affected in this incident,
researchers told Threatpost, “We can’t say,” adding that Trend Micro
“prioritizes responsible disclosure of security incidents and chooses
not to ‘name and shame’ victims. Our primary goal is to help
organizations identify and mitigate these incidents. We have notified
the breached parties who will be responsible for handling the
situation within each city.”

Previous Click2Gov Breaches

Click2Gov was previously afflicted by a vulnerability (rooted in a
compromised Click2Gov webserver) that led to two different data
breaches of the websites of several towns and cities using the

The flaw was first discovered in December 2018 after continual
breaches of it led to the compromise of at least 294,929 payment cards
across the country. Overall, 46 confirmed impacted local governments
were caught up in this first breach – including  Saint Petersburg,
Fla. (on October 2) Bakersfield, Calif. (November 14), and Ames, Iowa
(December 2).

Then in 2019, the vulnerable municipality payment software was
targeted once again, this time part of a breach involving of eight
cities in August. Those cities were: Coral Springs, Deerfield Beach,
Milton and Palm Bay, Fla.;  Bakersfield Calif.; Pocatello, Idaho;
Broken Arrow, Okla.; and Ames, Iowa.

Though they did not name the affected cities in this most recent
security incident, researchers said that five of the eight cities were
also affected in the previous breaches.

A patch was issued for the Click2Gov vulnerability in 2017, but
researchers said that the 2018 and 2019 breaches may have stemmed from
municipalities not updating their systems.

However, researchers say, based on an analysis of both the skimmer and
the infrastructure, they could not find any connections between this
most recent breach and the incidents in 2018 and 2019.

“It is not clear at this time if this attack which we identified is
connected to the earlier breaches, since nothing about their technical
details indicate a connection,” said researchers. “The only connection
is that five of the affected cities in the current incident were also
affected in 2018; while two were included in the 2019 incident.”

The Click2Gov software was developed by Superion, which has since
merged with other companies to form a new company called CentralSquare
Technologies in July 2018. According to Risk Based Security, there
appears to be between 600 to 6,000 installations of Click2Gov indexed.

CentralSquare Technologies did not return a request for comment from Threatpost.

Regardless, the incident show that credit card skimming attacks are
still a major threat to online merchants. Magecart in particular has
targeted various websites, from the Nutribullet website to an Olympics
ticket reseller. And in April, researchers observed a new skimmer from
the Magecart Group actively harvesting payment-card data from 19
different victim websites, mainly belonging to small- and medium-sized
businesses (SMBs), for several months.

“During 2019, we also saw that academic institutions and hotel chains
were targeted by similar attacks. This time, the attacker targeted the
websites of various local governments,”  said Trend Micro researchers.

More information about the BreachExchange mailing list