Posted on September 23, 2019 at 2:43 AM
In widely known attacks performed in 2017 and 2018, cybercriminal activity compromised the systems behind Click2Gov, a do-it-yourself resource for people to pay their bills, in several cities and locations in the United States of America.
As a result, the hackers managed to affect a whopping 300,000 payment cards and made about $2 million in total revenue. But now, another batch of attacks has affected the platform and transferred thousands of records and relevant data to the much more dangerous dark web, according to what specialists in the field stated this week.
The story was originally reported by Ars Technica. The new batch of hacking events actually started last month, and cybercriminals have managed to breach Click2Gov systems in eight different locations. Six of those eights were already affected in the 2017 and 2018 attacks, per a post published by Gemini Advisory, a security company.
Updated Security Systems
The most frightening development of the case is that the majority of the hacked websites were already using up-to-date security systems, which are supposed to be protected against recent vulnerabilities. As a result, the industry still doesn’t know for sure exactly how did the hackers manage to compromise the portals.
Click2Gov is a bill payment system used by several companies and municipalities to facilitate a platform for the community to pay for a myriad of services and utilities, also including parking tickets. The resource also allows users to perform other types of transactions or operations.
Christopher Thomas and Stas Alforov, two researchers and specialists at the Gemini Advisory firm, informed that the second wave of hacking attacks towards the Click2Gov systems makes the site vulnerable despite the presence of patched systems. They emphasized that organizations and institutions are tasked to monitor their systems to avoid potential breaches, as well as regularly updating their patches.
Another worrisome development has taken place: over 20,000 records, filled with valuable information, were hijacked in the second wave of hacks and have been offered in online’s “black market,” the dark web, most specifically, on criminal forums.
Readers may see that only eight cities in five states were affected by the new wave of Click2Gov attacks, but the reality indicates that it is a sensible problem and cardholders of all 50 states have been compromised. While not every card user lives in any of those eight locations, it may have performed a transaction with a compromised portal, therefore putting his card and information at severe risk.
Up until now, the compromised Click2Gov websites are Deerfield Beach (Florida,) Palm Bay (Florida,) Milton (Florida,) Bakersfield (California,) Coral Springs (Florida,) Pocatello (Idaho,) Broken Arrow (Oklahoma,) and Ames (Iowa.)
CentralSquare Technologies, the firm behind Click2Gov’s marketing strategy, expressed via a statement that they have gotten widespread reports of customer credit information being breached or accessed by unauthorized people, but that those cases are occurring in specific towns and locations.
The firm also noted that they have been performing forensic analysis and get in contact with clients that uses the tool, working tirelessly to update and protect their systems. According to them, only a few clients have reported unauthorized access to their accounts and card information.
A Web Shell
Per a FireEye publication from 2018, the first batch of hacking attacks usually began when the cybercriminals in question uploaded a web shell to the compromised servers of the Click2Gov platform. The mentioned resource made the systems go into debug mode.
The most dangerous part was when the web shell wrote information related to payment cards in plaintext files. At that moment, the hackers uploaded two additional custom resources: the “Firealarm” that parsed the logs and extracted the payment card information, as well as deleting any log entries that didn’t have error messages. The other was dubbed “Spotlight” and was used to intercept the payment card data from traffic associated with the HTTP protocol.
According to that FireEye’s post, the modus operandi that cybercriminals used to perpetrate their attacks wasn’t known. However, the publication says that they, most likely, used an exploit famous for targeting Oracle Web Logic, giving the hackers the ability to upload arbitrary files or access servers remotely.