Security Experts:

Connect with us

Hi, what are you looking for?



Click2Gov Attacks on U.S. Cities Attributed to Previously Unknown Group

A previously unknown financially motivated threat group is believed to be behind a series of attacks whose goal was to obtain payment card data from U.S. cities relying on Click2Gov software for utility bill payments.

A previously unknown financially motivated threat group is believed to be behind a series of attacks whose goal was to obtain payment card data from U.S. cities relying on Click2Gov software for utility bill payments.

Click2Gov, a product developed by Superion, is designed to provide cities “interactive self-service bill-pay options for utilities, community development and finance.”

The first reports of breaches at Click2Gov customers emerged in October 2017, when Superion published a statement saying that suspicious activity had been detected at some customers using on-premise servers. The company said its investigation, which had been assisted by a PCI forensic investigation firm, had not found any evidence of credit card scrapers or credit card data extraction.

In a follow-up statement published in June 2018, Superion said it had released a patch for its own software and provided customers with patches for a third-party software used by Click2Gov in order to address the vulnerabilities exploited by the attackers.

Risk Based Security reported in June, just before Superion published its follow-up statement, that at least 10 cities in the United States had notified citizens that their payment information had been exposed as a result of an attack aimed at Click2Gov. Some even reported fraudulent transactions that may have resulted from these incidents.

Axios’ Codebook reported a few days later that the third-party software referenced by Superion was Oracle WebLogic, which has been known to be plagued by several vulnerabilities exploited by malicious actors for various purposes.

FireEye has also been tracking the Click2Gov attacks and notes that additional victims have been identified since June. The security firm has found and analyzed the malware used by the attackers, which it has described as “moderately sophisticated.”

FireEye says the attacks have been carried out by a financially motivated group that it has not seen until now.

Based on its analysis, FireEye believes the attack likely starts with exploitation of an Oracle WebLogic vulnerability – candidates include CVE-2017-3248, CVE-2017-3506 and CVE-2017-10271 – that allows the hackers to compromise Click2Gov webservers and upload arbitrary files.

Once they gain access, they upload a web shell named SJavaWebManage to interact with the server and enable debug mode in a Click2Gov configuration file so that the software writes payment card information to a log file in plain text.

Next, the attackers upload a tool tracked by FireEye as FIREALARM to parse these log files and exfiltrate the harvested credit card data. Additionally, the cybercriminals leverage a tool named SPOTLIGHT to intercept payment cards from HTTP network traffic.

The security firm says all of these malware families have very low detection rates based on VirusTotal data.

The company believes the campaign is the work of a group rather than a single individual based on the wide range of skills needed to pull off the attacks.

“The attacker’s understanding of the Click2Gov host requirements, process logging details, payment card fields, and internal communications protocols demonstrates an advanced knowledge of the Click2Gov application,” FireEye said in a blog post. “Given the manner in which underground forums and marketplaces function, it is possible that tool development could have been contracted to third parties and remote access to compromised systems could have been achieved by one entity and sold to another. There is much left to be uncovered about this attacker.”

“Although the TTPs observed in the attack lifecycle are generally consistent with other financially motivated attack groups tracked by FireEye, this attacker demonstrated ingenuity in crafting malware exploiting Click2Gov installations, achieving moderate success,” the company added.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.