A new wave of data breaches in eight U.S. city governments is the work of online scammers using malicious code against the troubled online payments platform Click2Gov, according to research published Friday by the cybersecurity firm TrendMicro.
According to TrendMicro, the latest attacks began on April 10 when the Click2Gov pages operated by the eight cities — which were not identified — were compromised with the malicious code. Once the payment platforms were infected, residents of those cities who logged on to conduct business with their local governments unknowingly gave their payment information to the hackers, thanks to a technique known as a “skimmer” that latches onto the payment form’s button to complete a transaction.
For more than two months, the attackers have been collecting people’s full names, credit card numbers — including expiration dates and security codes — and addresses. TrendMicro’s researchers also believe the attacks are still active.
And compared to previous Magecart attacks, infiltrating Click2Gov sites was relatively easy.
“Unlike other skimmers which grab data on various types of payment forms, the skimmer used here is rather simple and only works on a Click2Gov payment form,” a TrendMicro blog post read. “No obfuscation or anti-debugging techniques were used.”
Click2Gov has for several years posed data-security problems for the many small and midsize local governments that use it to process transactions like utility payments, parking fines, usage permits and other fees. Since 2017, dozens of municipalities have had to tell their residents that their personal data had been swept up in breaches targeting the payment platform. Click2Gov’s publisher, CentralSquare Technologies, has previously said that any vulnerabilities were tied to an Oracle application server that some customers used to run the platform. As many as 6,000 local governments across the United States use Click2Gov, though some breach victims have started turning to other providers.
But according to TrendMicro, there’s no evidence directly linking the recent Magecart-style attacks to incidents in 2018 and 2019. Still, five of the eight cities analyzed had been victims of previous Click2Gov breaches.