User Payment Data Stolen from U.S Government Payment Portals

Reports reveal that user payment data was stolen from many local Click2Gov government systems across US cities.

There were rumors surfacing last year itself that the local government portal service may have been subject to a data breach. There were some reports later, in October 2017 and June 2018, which confirmed the happening of a security incident involving scraping of payment card details.

ZDNet reports, “Developed by Central Square, formerly known as Superion, it was rumored last year that the local government portal service may have been subject to a data breach…In September this year, cybersecurity firm FireEye confirmed that a security incident had taken place, in which threat actors had planted never-before-seen malware to scrape payment card details from US citizens.”

The report then was that two new malware strains, namely Spotlight and Firealarm, were used for the breach, which involved accessing payment card data and extracting payment details.

In a report dated 18 December 2018 and titled ‘Dozens of Municipalities Exposed in Click2Gov Software Compromise’, security research firm Gemini Advisory also makes these revelations. “During routine monitoring of the underground marketplaces that specialize in the sale of compromised payment card data, we noticed an out-of-pattern concentration of victims located in small-to-medium US cities. Further analysis of the card data linked to these locations and collaboration with partner banks have determined that records likely been stolen from local municipal services that license Click2Gov software, a popular payment technology primarily used by local governments to receive various payments from their residents”, reads the Gemini Advisory report.

The report, after analyzing the incident, states that the magnitude of the breach was really large and that it impacted at least 294,929 payment records across over 46 cities in the U.S and one in Canada. The hackers put up the stolen payment cards for sale as well.

Stas Alforov of Gemini Advisory writes, “In our analysis of all 20 reported instances of the Click2Gov breaches, we have definitively confirmed that, in total, at least 111,860 payment cards were compromised. Also, in each instance, the stolen payment cards were uploaded for sale either during the breach or immediately after the breach was identified and reported, with the average price of $10 per card.”

He adds, “Moreover, further analysis revealed that the true magnitude of the breach was significantly larger than what was initially reported, with over 46 cities in the US and one city in Canada compromised as part of the Click2Gov Breach, and 294,929 payment cards stolen as of this writing, meaning that less than 50% of the affected cities have identified or reported a compromise in their utility payment system. Breached payment card data was linked to over 1000 financial institutions, with 65% of stolen records associated with the top 20 affected banks.”

While many cities have identified and acknowledged instances of Click2Gov breach, several large financial institutions too have confirmed breach in the local online utility payment system. This has happened in cities like Laredo, TX, Pompano Beach, FL, Lacey, WA, Hanover County, VA and Topeka, KA. It is estimated that the threat actors had earned at least $1.7 million by selling the stolen data in the Dark Web.

Gemini Advisory, upon investigating the incidents, had identified two persons who could have been associated with the hacks. The report states, “In the course of our investigation we have identified two individuals responsible for the monetization of compromised payment card data on the dark web, and with a high degree of confidence we assess that both actors belong to the same hacking group responsible for the attacks on Click2Gov clients. Moreover, a recent FireEye report further confirms our findings indicating that the attacks were carried out by the same team of individuals.”

Central Square Technologies had clarified, as per reports, that the initial vulnerability that was detected in 2017 was successfully mitigated and users were advised to deploy a software patch. But then, as per reports, the hackers seem to have uncovered another undetected vulnerability, which is yet to be patched. Central Square had also acknowledged, to Gemini Advisory that despite patch deployment “the system remains vulnerable for an unknown reason.” However, efforts are on to resolve the issue.