Connect with us

Hi, what are you looking for?



Magecart Hackers Target U.S. Cities Using Click2Gov

Magecart web skimmers were found on the websites of eight cities in the United States and one thing they have in common is that they all use the Click2Gov platform, Trend Micro reports.

Magecart web skimmers were found on the websites of eight cities in the United States and one thing they have in common is that they all use the Click2Gov platform, Trend Micro reports.

Designed for community engagement, reporting of issues, and online payments, the Click2Gov web-based platform is used by local governments across the United States and has been the victim of financially-motivated threat actors in both 2018 and 2019.

The new wave of attacks, however, does not appear to be related to previous incidents, at least not from a technical point of view, Trend Micro’s security researchers say. They also revealed that seven of the impacted cities were targeted in previous incidents.

As part of the attacks, which likely started on April 10, 2020, the hackers placed a custom JavaScript-based skimmer onto the compromised websites, to harvest and exfiltrate credit card data and the personal information of residents, typical to a Magecart compromise.

The skimming code, which was designed specifically to target Click2Gov payment forms, is triggered when the victim makes an online payment on the compromised website.

Data targeted by the code includes credit card number, CVV number, expiration date, and card holder’s name, address, and ZIP code area. An HTTP POST request is used to send the collected information to a remote sever.

Trend Micro’s researchers identified two exfiltration servers that were leveraged as part of the campaign, both hosting the JavaScript skimmer and a .JSP file used to receive the harvested data.

Advertisement. Scroll to continue reading.

“One of the servers was used for three sites, while the other server used for the remaining five sites. The two skimmers used are identical, save for the change in the hostname of the exfiltration servers,” Trend Micro fraud researcher Joseph C. Chen explains.

Of the eight impacted cities, seven were involved in previous attacks: five in the 2018 campaign and two in the 2019 incident, but it’s unclear whether there’s a connection with the newly identified breaches.

“Credit card skimming attacks are still a major threat to online merchants. Victims not limited to only typical e-commerce sites. During 2019, we also saw that academic institutions and hotel chains were targeted by similar attacks. This time, the attacker targeted the websites of various local governments. This shows the importance of keeping payment portals secure to protect both an organization and its customers,” Trend Micro concludes.

Related: Hackers Target Online Stores With Web Skimmer Hidden in Image Metadata

Related: Eight U.S. Cities Impacted in New Series of Click2Gov Breaches

Related: Click2Gov Attacks on U.S. Cities Attributed to Previously Unknown Group

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...