A security firm has revealed that a payment portal used for local government services, such as paying for utilities and permits, has been targeted by hackers. The self-hosted Click2Gov’s servers — operated by local governments across the U.S. — were breached, most likely, through a vulnerability in the portal’s web server. This allowed attackers to upload malware and steal payment card data over “weeks to numerous months,” Nick Richard, principal threat intelligence analyst at FireEye, according to reports.
The hacker uploaded a tool called FIREALARM to search for credit card data, while another malware called SPOTLIGHT was used to intercept credit card data from unencrypted network traffic. The data was then encoded and exfiltrated by the cybercriminal. Credit card numbers, expiration dates and verification numbers — along with names and addresses — were taken, though it’s unclear how many victims have been affected.
“Any web server running an unpatched version of Oracle WebLogic would be vulnerable to exploitation, thus, allowing an attacker to access the web server to manipulate Click2Gov configuration settings and upload malware,” said Richard.
Though FireEye didn’t say who was responsible for the attacks, it did reveal that it was “likely” a team of hackers, given the skills needed to carry out the breach.
“There is much left to be uncovered about this attacker,” FireEye said in a blog post, adding that the hackers will “continue to conduct interactive and financially motivated attacks.”
However, following a confirmed breach last year, Superion, which owns Click2Gov, argued in June that there was “no evidence” the portal was unsafe to use. The company issued patches after several customer complaints that their credit card information had been stolen, and Superion said it was up to the local governments and municipalities to patch their servers so that residents would be protected.