Patched Click2Gov Flaw Still Afflicting Local Govs

magecart web skimmer

Local governments aren’t updating the vulnerable systems.

A vulnerability in a popular municipality payment software, Click2Gov, has left hundreds of thousands of civilian payment cards compromised – and the hacks are ongoing, a new report found.

Continual breaches of the vulnerable software have led to the compromise of at least 294,929 payment cards across the country – earning the criminals behind the breach at least $1.7 million, Gemini Advisory said on Tuesday.

Making matters worse, the software was patched in 2017 – yet the breaches are still continuing, in part due to municipalities that have not updated, Stas Alforov, director of research and development at Gemini Advisory, told Threatpost.

“Many municipalities are not doing their job of patching the systems or keeping regular, system administrator tasks,” he said.

click2gov payment card breach

Click to expand

Click2Gov is a popular software solution used by local governments for receiving parking tickets or taxes. The software was developed by Superion, which has since merged with other companies to form a new company called CentralSquare Technologies in July 2018. According to Risk Based Security, there appears to be between 600 to 6,000 installations of Click2Gov indexed.

CentralSquare Technologies did not return a request for comment.

The breach stems back to 2017, when Superion first released a statement confirming that malicious activity was detected on customers’ computer networks.

Essentially, the attack was rooted in a compromised Click2Gov webserver, said FireEye in a report. An attacker was able to install a web shell, SJavaWebManage, and then upload a tool that allowed them to parse log files, retrieve payment card information and remove all log entries.

click2gov payment card breach

Click to expand

In a June 2018 statement on the matter, Superion said it has deployed the necessary patch to its software. It added it assisted customers in the application of patches related to a “third-party component.”

“At this time, we have no evidence showing that it is unsafe to make payments utilizing Click2Gov on hosted or secure on-premise networks with recommended patches and configuration,” the company said. “Superion does not control our customers’ networks, so we recommend citizens contact their municipality or county if they have any questions related to security.”

However, despite this patch, “Superion acknowledged directly to Gemini Advisory that despite broad patch deployment the system remains vulnerable for an unknown reason,” researchers said.

That could be because local governments have not updated their systems– leading them to become compromised. Another option is that hackers have uncovered another undetected vulnerability in the software, which has yet to be patched, Alforov told Threatpost. 

Regardless, just in the past 30 days, researchers identified over 12,283 compromised payment cards associated with the Click2Gov breach.  Researchers were able to track these cards as they were uploaded for sale on the Dark Web (with an average price of $10 per card).

Overall, there were 46 confirmed impacted local governments – including  Saint Petersburg, Florida (on October 2) Bakersfield, California (November 14), and Ames, Iowa (December 2). The most Click2Gov-related breach was of Pompano Beach, FL (yet to be disclosed publicly), researchers said.

Alforov said that impacted municipalities should reach out to CentralSquare for assistance:

“Users who are directed to pay through the Click2Gov system [should] identify alternative means of making payments until the system threat has been eliminated,” according to Gemini Advisory’s post. “Moreover, all local municipalities that utilize the Click2Gov software should confirm that the software is up-to-date and fully patched, and contact CentralSquare immediately if assistance is needed. Gemini Advisory is monitoring the development of the Click2Gov incident closely, and in the case that new victims are identified, all clients will be notified accordingly.”

Suggested articles