Hackers have planted credit card stealing malware on local government payment sites

Security firm FireEye has confirmed that a widely used web payment portal used to pay for local government services, like utilities and permits, has been targeted by hackers.

Hackers have broken into self-hosted Click2Gov servers operated by local governments across the US, likely using a vulnerability in the portal’s web server that allowed the attacker to upload malware to siphon off payment card data over a period of “weeks to numerous months,” Nick Richard, principal threat intelligence analyst at FireEye, told TechCrunch.

Superion, a major technology provider that owns the web payment portal Click2Gov, said in June following a confirmed breach last year that there was “no evidence” that the portal was unsafe to use amid reports of suspicious activity by customers. Superion issued patches after several customers complained that their credit card information had been stolen, but said that it was largely up to local governments and municipalities to patch their servers.

But since then, several more local government sites were identified as victims of the malware.

FireEye’s incident response arm Mandiant said the hacker used the server vulnerability to upload a tool, which it calls FIREALARM, to sift through server log data for credit card data, while another piece of malware it’s calling SPOTLIGHT to intercept credit card data from unencrypted network traffic. Once collected, the data is encoded and exfiltrated by the hacker.

Credit card numbers, expiration dates, and verification numbers, along with names and addresses were stolen by the malware, the security firm said.

But Richard said it’s not known how many victims there are for each compromised server.

“Any web server running an unpatched version of Oracle WebLogic would be vulnerable to exploitation, thus allowing an attacker to access the web server to manipulate Click2Gov configuration settings and upload malware,” said Richard.

FireEye did not say who was to blame for the attacks but said it was “likely” a team of hackers, given the skills necessary to pull off the attack.

“There is much left to be uncovered about this attacker,” FireEye said in a blog post, and anticipates that the hackers will “continue to conduct interactive and financially motivated attacks.”

Superion told TechCrunch that it has “diligently kept our customers informed while working with them to update available patches for the third-party software that contributed to the issue,” and that none of its cloud customers are affected.