In December 2018, Gemini Advisory covered a breach of Click2Gov, a self-service bill-pay portal for utilities, community development, and parking tickets, which affected dozens of cities across the United States and Canada between 2017 and late 2018. During that time, over 300,000 Card Not Present (CNP) records were compromised across a variety of US cities using this portal. Vulnerability intelligence company Risk Based Security recorded between 600 and 6,000 installations of Click2Gov, providing a vast threat surface. Superion (now CentralSquare Technologies), the company that owns Click2Gov, rolled out new updates to its portal. Many of the original victim cities had failed to maintain patched systems, so they subsequently patched their Click2Gov portals to restore security and prevent future such compromises.
However, Gemini has observed a second wave of breaches. The beginning of this second wave appears to be August 2019, and since this time, over 20,000 records from eight cities in five different states have been offered for sale in the dark web. Analysts confirmed that many of the affected towns were operating patched and up-to-date Click2Gov systems but were affected nonetheless. Given the success of the first campaign, which generated over $1.9 million in illicit revenue, the threat actors would likely have both the motive and the budget to conduct a second Click2Gov campaign.
After the initial breach, Superion CEO Simon Angove released a statement in October 2017 confirming that the company identified malicious activity on a small number of customers’ computer networks involving possible attempts to steal user data. In June 2018, the company posted an updated statement in which it claimed to have addressed the issue identified in 2017 and deployed necessary patches. Superion concluded that there was no evidence that it was unsafe to make payments via Click2Gov on fully patched hosted or secure on-premise networks. However, neither statement, previously found at this link, is currently available on the company’s website.
Now known as CentralSquare Technologies due to a large merger, the company stated that only users who key in payment card details appeared to be susceptible to card interception attacks, while those relying on automated bill pay may not be affected. Only locally hosted systems were vulnerable to attacks; cloud-hosted instances were unaffected.
While CentralSquare had taken mitigating actions and deployed patches, the portal remains a viable attack surface. Cybercriminals often hit the same target twice. For example, luxury mattress company Amerisleep was originally breached by the Magecart hacking group in 2017 and was attacked again in December 2018, and a third time in January. Dutch security researcher Willem de Groot claims that one in five online stores infected by Magecart malware were infected multiple times. It is therefore unsurprising for the threat actors behind the Click2Gov breaches to strike more than once.
Accordingly, six of the eight cities’ systems were compromised in the original breach. These eight cities were in five states, but cardholders in all 50 states were affected. Some of these victims resided in different states but remotely transacted with the Click2Gov portal in affected cities, potentially due to past travels or to owning property in those cities.
Gemini attempted to reach out to several of these eight towns about the second wave of breaches; while most did not respond, those that did confirmed a breach in their Click2Gov utility payment portals. Certain towns that did not respond to Gemini’s outreach have taken their Click2Gov portals offline shortly after we attempted to contact them. The towns that appear to have been affected are listed in the table below, with those breached for the first time colored in light blue:
CentralSquare has also confirmed the breach in a statement to DataBreaches[.]net, claiming “We have recently received reports that some consumer credit card data may have been accessed by unauthorized or malicious actors on our customers’ servers. It is important to note that these security issues have taken place only in certain towns and cities.” CentralSquare directly mentioned a “vulnerability” in its Click2Gov portal through which the threat actors obtained unauthorized access and claimed that this vulnerability is now “closed.”
The second wave of Click2Gov breaches indicates that despite patched systems, the portal remains vulnerable. It demonstrates cybercriminals’ willingness to repeatedly target the same victims and underscores that while responsible security habits are constructive, there is no perfectly secure system. It is thus incumbent upon organizations to regularly monitor their systems for breaches in addition to keeping up to date on patches. Gemini Advisory continues to monitor the second wave of Click2Gov breaches as more records are posted for sale in the dark web.
Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.