Click2Gov, a software application popular among municipalities for processing online payments of utility bills and fees, has been compromised in 46 U.S. cities and one Canadian location, according to an analysis released this week by Gemini Advisory.
The New York City-based data-security firm estimates 294,929 payment card records have been stolen. Much of the data has been put up for sale on the Dark Web, with average selling prices of $10 per card, according to Gemini. Hackers have earned at least $1.7 million selling the data, Gemini estimates.
Click2Gov is offered by CentralSquare Technologies, a Lake Mary, Fla.-based company created in September by the merger of several software firms serving the public sector. They included Click2Gov’s provider, Superion. Click2Gov reportedly has at least 600 installations.
Several attempts by Digital Transactions News to reach a CentralSquare spokesperson were unsuccessful.
Local news outlets began reporting payment card compromises involving utility payments in early 2017, Gemini said. That October, Superion issued a statement about reports of suspicious activity involving a “small number” of customers, and that it notified customers of “certain potential vulnerabilities” in their networks.
Superion said all affected systems were locally hosted and that its cloud-based Click2Gov service was not compromised. In an updated statement in June, Superion said it had “deployed the necessary patch to our software and assisted customers in the application of patches related to a third-party component. At this time, we have no evidence showing that it is unsafe to make payments utilizing Click2Gov on hosted or secure on-premise networks with recommended patches and configurations.”
But the patching apparently has not been fully successful. “Superion acknowledged directly to Gemini Advisory that despite broad patch deployment the system remains vulnerable for an unknown reason,” Gemini’s report says. Part of the problem is that some municipalities have failed to install the patches, according to one media report.
Compromises are still popping up. Since early October, Saint Petersburg, Fla., Bakersfield, Calif., and Ames, Iowa “all reported online utility payment breaches,” the report says. “All three reports claimed that the point of compromise was the Click2Gov software.”
Breached card data has been linked to more than 1,000 financial institutions, with 65% of stolen records affiliated with just 20 card issuers, the report says.
Gemini said that through its investigation it has “identified two individuals responsible for the monetization of compromised payment card data on the Dark Web, and with a high degree of confidence we assess that both actors belong to the same hacking group responsible for the attacks on Click2Gov clients.”
Stanislav “Stas” Alforov, Gemini’s director of research and development, tells Digital Transactions News by email that “it’s hard to tell right now” where those individuals are based.
“Although at the moment we do not have evidence to make concrete attribution, we do know that the marketplace where the stolen cards have been sold is mostly used by the Eastern European fraudsters,” Alforov says. He adds that the hacking group “currently does not have a name, and at this time we are not aware of any association between them and any other known data breaches.”
Alissa Knight, a cybersecurity analyst at Boston-based Aite Group LLC, tells Digital Transactions News in an email message that “the attackers are likely exploiting vulnerabilities in the application server that Click2Gov relies upon, which looks to be Oracle WebLogic.”
According to Knight, “there is a systemic problem across organizations with a lack of or poorly documented and executed patch-management strategy for critical servers, especially Web application servers where patching requires downtime or the potential for failed upgrades. This leads to most organizations running vulnerable versions of Web applications and database software, such as Oracle WebLogic. Organizations need to have robust patch/vulnerability-management policies and procedures and make it a part of their cybersecurity program.”