Dozens of Municipalities Exposed in Click2Gov Software Compromise

December 18, 2018
By Stas Alforov on December 18, 2018

Background

During routine monitoring of the underground marketplaces that specialize in the sale of compromised payment card data, we noticed an out-of-pattern concentration of victims located in small-to-medium US cities. Further analysis of the card data linked to these locations and collaboration with partner banks have determined that records likely been stolen from local municipal services that license Click2Gov software, a popular payment technology primarily used by local governments to receive various payments from their residents.

Key Findings

  • Oceanside, CA – the first breach of Click2Gov software publicly reported on 08/2017
  • Pompano Beach, FL – the most recent case of Click2Gov compromise, yet to be disclosed publicly.
  • 46 confirmed compromised US locations and 1 Canadian location.
  • As of this writing 294,929 payment records were compromised, earning criminals at least 1.7 million dollars.
  • Our analysis shows that all breaches are part of the larger hacking operation conducted by the same hacking group, and are not random in nature.
  • Superion acknowledged directly to Gemini Advisory that despite broad patch deployment the system remains vulnerable for an unknown reason.
  • According to Superion, the affected systems were all locally hosted, while cloud based Click2Gov software were not affected.

Analysis

As early as the spring of 2017 there have been numerous reports by local news outlets and researchers that identified various instances of payment card compromises which were attributed to local utility payment systems. The majority of the reporting claimed that the point of compromise was due to a payment software called Click2Gov which was hosted on local servers. Superion’s Click2Gov software provides a user-friendly interface that allows users to pay for utilities, permits, and other local government services. According to Risk Based Security, there are at least 600 or as many as thousands of installations of Click2Gov nationwide and Canada.

In October 2017, Superion CEO Simon Angove released a statement confirming that malicious activity was identified on a small number of customers’ computer networks, which involved possible attempts to steal user data. In June 2018, Superion posted an updated statement claiming to have addressed the issue identified in 2017 involving suspicious activity on their client’s servers that was used to host Superion’s Click2Gov product. According to this updated statement, Superion had deployed the necessary patches and found no evidence that it was unsafe to make payments utilizing Click2Gov on fully patched hosted or secure on-premise networks.

Despite Superion’s efforts to address the vulnerability in Click2Gov software, Saint Petersburg, Florida, Bakersfield, California, and Ames, Iowa all reported online utility payment breaches on October 2, 2018, November 14, 2018, and December 2 respectively. All three reports claimed that the point of compromise was the Click2Gov software. Prior to the announcements, Gemini Advisory identified the payment card data from all three breaches posted for sale between September 23, 2018 and November 28, 2018.

In our analysis of all 20 reported instances of the Click2Gov breaches, we have definitively confirmed that, in total, at least 111,860 payment cards were compromised. Also, in each instance, the stolen payment cards were uploaded for sale either during the breach or immediately after the breach was identified and reported, with the average price of $10 per card.

Image 1: The brightest points show the locations of the cities with the largest number of victims.

Moreover, further analysis revealed that the true magnitude of the breach was significantly larger than what was initially reported, with over 46 cities in the US and one city in Canada compromised as part of the Click2Gov Breach, and 294,929 payment cards stolen as of this writing, meaning that less than 50% of the affected cities have identified or reported a compromise in their utility payment system. Breached payment card data was linked to over 1000 financial institutions, with 65% of stolen records associated with the top 20 affected banks.

The following cities include the number of compromised records and are just a few of many unreported instances of Click2Gov breach. Several large financial institutions have confirmed a breach in the local online utility payment system in the below cities through Common Point of Purchase (CPP)  analysis.

  • Laredo, TX – 38,666
  • Pompano Beach, FL – 9,817
  • Lacey, WA – 6,604
  • Hanover County, VA  – 5,937
  • Topeka, KA – 4,064

In the course of our investigation we have identified two individuals responsible for the monetization of compromised payment card data on the dark web, and with a high degree of confidence we assess that both actors belong to the same hacking group responsible for the attacks on Click2Gov clients. Moreover, a recent FireEye report further confirms our findings indicating that the attacks were carried out by the same team of individuals. For the past year the group has been methodically seeking cities that only utilize Click2Gov software, deploying highly-effective malware, and earning at least 1.7 million dollars from the sale of stolen cards.

Image 2: Distribution of stolen payment cards by types.

In the past 30 days, Gemini Advisory has identified over 12,283 compromised payment cards associated with the Click2Gov breach, of which approximately 4,000 cards are associated with previously unseen Topeka, KS and indicating that hackers still maintain the access to infiltrated systems.

Gemini Advisory has provided all of the Click2Gov associated breach information to Federal Law Enforcement and is actively working to assist them in further investigation. Furthermore, we have contacted Superion, now known as CentralSquare Technologies, and have shared our findings, including the list of affected cities, in order to assist them in victim notification.

According to CentralSquare Technologies, the initial vulnerability which was identified in 2017 had been successfully mitigated, with all users being advised to deploy the software patch as soon as possible. However, it appears that the attackers uncovered another undetected vulnerability, which has yet to be patched.

CentralSquare conveyed that only users who key-in their payment card details appear to be susceptible to the card interception attacks, while those who are currently enrolled in the automated bill pay option may not be affected. Moreover, the results of the intrusion analysis conducted by CentralSquare suggests that only locally hosted systems were found to be vulnerable to the attacks, while cloud-hosted instances were unaffected.  

Thus, Gemini Advisory suggests that users who are directed to pay through the Click2Gov system identify alternative means of making payments until the system threat has been eliminated. Moreover, all local municipalities that utilize the Click2Gov software should confirm that the software is up-to-date and fully patched, and contact CentralSquare immediately if assistance is needed. Gemini Advisory is monitoring the development of the Click2Gov incident closely, and in the case that new victims are identified, all clients will be notified accordingly.


Image 3: The list of compromised cities
Gemini Advisory Mission Statement

Gemini Advisory provides actionable fraud intelligence to the largest financial organization in an effort to mitigate the ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate in real-time assets targeted by fraudsters and online criminals.

%d bloggers like this: