Connect with us

Hi, what are you looking for?



Click2Gov Attacks on U.S. Cities Attributed to Previously Unknown Group

A previously unknown financially motivated threat group is believed to be behind a series of attacks whose goal was to obtain payment card data from U.S. cities relying on Click2Gov software for utility bill payments.

A previously unknown financially motivated threat group is believed to be behind a series of attacks whose goal was to obtain payment card data from U.S. cities relying on Click2Gov software for utility bill payments.

Click2Gov, a product developed by Superion, is designed to provide cities “interactive self-service bill-pay options for utilities, community development and finance.”

The first reports of breaches at Click2Gov customers emerged in October 2017, when Superion published a statement saying that suspicious activity had been detected at some customers using on-premise servers. The company said its investigation, which had been assisted by a PCI forensic investigation firm, had not found any evidence of credit card scrapers or credit card data extraction.

In a follow-up statement published in June 2018, Superion said it had released a patch for its own software and provided customers with patches for a third-party software used by Click2Gov in order to address the vulnerabilities exploited by the attackers.

Risk Based Security reported in June, just before Superion published its follow-up statement, that at least 10 cities in the United States had notified citizens that their payment information had been exposed as a result of an attack aimed at Click2Gov. Some even reported fraudulent transactions that may have resulted from these incidents.

Axios’ Codebook reported a few days later that the third-party software referenced by Superion was Oracle WebLogic, which has been known to be plagued by several vulnerabilities exploited by malicious actors for various purposes.

FireEye has also been tracking the Click2Gov attacks and notes that additional victims have been identified since June. The security firm has found and analyzed the malware used by the attackers, which it has described as “moderately sophisticated.”

FireEye says the attacks have been carried out by a financially motivated group that it has not seen until now.

Advertisement. Scroll to continue reading.

Based on its analysis, FireEye believes the attack likely starts with exploitation of an Oracle WebLogic vulnerability – candidates include CVE-2017-3248, CVE-2017-3506 and CVE-2017-10271 – that allows the hackers to compromise Click2Gov webservers and upload arbitrary files.

Once they gain access, they upload a web shell named SJavaWebManage to interact with the server and enable debug mode in a Click2Gov configuration file so that the software writes payment card information to a log file in plain text.

Next, the attackers upload a tool tracked by FireEye as FIREALARM to parse these log files and exfiltrate the harvested credit card data. Additionally, the cybercriminals leverage a tool named SPOTLIGHT to intercept payment cards from HTTP network traffic.

The security firm says all of these malware families have very low detection rates based on VirusTotal data.

The company believes the campaign is the work of a group rather than a single individual based on the wide range of skills needed to pull off the attacks.

“The attacker’s understanding of the Click2Gov host requirements, process logging details, payment card fields, and internal communications protocols demonstrates an advanced knowledge of the Click2Gov application,” FireEye said in a blog post. “Given the manner in which underground forums and marketplaces function, it is possible that tool development could have been contracted to third parties and remote access to compromised systems could have been achieved by one entity and sold to another. There is much left to be uncovered about this attacker.”

“Although the TTPs observed in the attack lifecycle are generally consistent with other financially motivated attack groups tracked by FireEye, this attacker demonstrated ingenuity in crafting malware exploiting Click2Gov installations, achieving moderate success,” the company added.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...