FacebookTwitterLinkedIn

Hackers Earn 1.7 Million from Click2Gov Breach

Karolis Liucveikis Written by on

The convenience of being able to pay bills, fines, and taxes online can be seen as a far superior method of standing in queues waiting for an open teller. This convenience should be balanced with security. Users are entering credit card details and other important personal information. Any security measures taken should be robust but that may be an ideal even if it seems logical. Click2Gov, a website which enables users to pay bills online, appears not to have taken security as seriously as should be done.

Click2Gov is used by many US states and cities to expedite the paying of utility bills and fines by residents. Developed by Central Square, formerly known as Superion, it was rumored that in 2017 the local government payment service may have been subject to a data breach. The rumors were confirmed in September 2018 when FireEye published an article detailing the breach. According to researchers the hackers deployed a new, never seen before malware strained designed to scrape payment card details from US citizens.

Researchers suggested that the new malware strains, Firealarm and Spotlight, were able to parse logs for payment card data and extract payment details. Researchers stated that Firealarm is a command line tool written in C/C++ that accepts three numbers as arguments; Year, Month, and Day represented in a sample command line as evil.exe 2018 09 01. From this example, FIREALARM would attempt to open and parse logs starting on 2018-09-01 until the present day. If the file exists the malware then parses the data in order to find account details and a plethora of credit card details including CCV numbers and expiry dates.

hackers click2gov breach

Spotlight works in a similar way but researchers concluded that the malware offered the attacker better persistence to the host and continuous collect payment card data, ensuring the mined data would not be lost even if log files were deleted by an administrator. Currently Central Square is still trying to figure out exactly how the data breach took place. The company did deploy a patch in June to resolve the original vulnerabilities the hackers used to infiltrate Click2Gov. It is believed that the breach involved 294,929 payment records having been compromised across at least 46 cities in the US, as well as one in Canada.

Cost of the Breach

While there are still many unknowns which Central Square admits a new report by Gemini Advisory has illuminated some to the actual cost of the breach. Findings by Gemini also further suggests that less than 50 percent of cities which have lost customer data either know or have publicly disclosed data breaches occurring at their sites. The most important finding relates to how much the hackers themselves have earned. The company said that by selling this information in the Dark Web, the threat actors have earned themselves at least 1.7 million USD.

Researchers were able to find that certain local systems are still having security incidents. Saint Petersburg, Florida, Bakersfield, California, and Ames, Iowa, have all reported utility payment portal data breaches in the last three months and payment data from those mentioned has been found for sale on the Dark Web. Out of the 20 reported breaches Gemini could confirm that, in total, at least 111,860 payment cards were compromised. In each instance, the stolen payment cards were uploaded for sale either during the breach or immediately after the breach was identified and reported, with the average price of 10 USD per card.

Gemini Advisory has been working closely with Central Square as well as Federal Law Enforcement, to help find those responsible and how the breach actually occurred. According to Central Square, the initial vulnerability which was identified in 2017 had been successfully dealt with. However, it seems the hackers found another undetected vulnerability, which still has to be patched. Central Square has also stated that only users who key-in their payment card details appear to be susceptible to the card interception attacks, meaning that users who make use of the automated pay service are unaffected. Researchers have been able to track two hackers via the Dark Web marketplace used to sell the card details. It is believed that they are both likely to be part of a wider criminal ring.

Remediation

Gemini Advisory recommends that,

“Thus, Gemini Advisory suggests that users who are directed to pay through the Click2Gov system identify alternative means of making payments until the system threat has been eliminated. Moreover, all local municipalities that utilize the Click2Gov software should confirm that the software is up-to-date and fully patched, and contact CentralSquare immediately if assistance is needed. Gemini Advisory is monitoring the development of the Click2Gov incident closely, and in the case that new victims are identified, all clients will be notified accordingly.”

A recent article published by Fortune on the matter further advised users of Click2Gov that all the measures to prevent identity theft should be followed including the need to replace their cards and possible damage to their credit scores. The breaches were unlikely to result in financial loss for the users whose cards have been compromised. This is mainly due to the reason that banks and credit cards foot the bill in cases of stolen data.

The actual data breach will prove to be a novel one for two reasons, the exploiting of an unknown vulnerability and the use of never seen before malware. What is not novel is the method the hackers use to cash in on the stolen data. Again and again, security researchers see the data for sale on the Dark Web and by all accounts, it is still incredibly profitable.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog