Click2Gov breaches in eight cities attributed to Magecart hackers

There's more troubling news for customers of the online payments platform that's been connected to dozens of past breaches.
man holding credit card at computer
(Getty Images)

A new wave of data breaches in eight U.S. city governments is the work of online scammers using malicious code against the troubled online payments platform Click2Gov, according to research published Friday by the cybersecurity firm TrendMicro.

The attacks involved Magecart-style attacks, in which lines of JavaScript code are injected into e-commerce platforms to rip off financial and personally identifiable information, like credit card numbers, names, addresses and other credentials. Magecart attacks have plagued corporate websites, including big-name targets like British Airways, Ticketmaster and more than 2 million other websites, according to research published last October.

According to TrendMicro, the latest attacks began on April 10 when the Click2Gov pages operated by the eight cities — which were not identified — were compromised with the malicious code. Once the payment platforms were infected, residents of those cities who logged on to conduct business with their local governments unknowingly gave their payment information to the hackers, thanks to a technique known as a “skimmer” that latches onto the payment form’s button to complete a transaction.

For more than two months, the attackers have been collecting people’s full names, credit card numbers — including expiration dates and security codes — and addresses. TrendMicro’s researchers also believe the attacks are still active.


And compared to previous Magecart attacks, infiltrating Click2Gov sites was relatively easy.

“Unlike other skimmers which grab data on various types of payment forms, the skimmer used here is rather simple and only works on a Click2Gov payment form,” a TrendMicro blog post read. “No obfuscation or anti-debugging techniques were used.”

Click2Gov has for several years posed data-security problems for the many small and midsize local governments that use it to process transactions like utility payments, parking fines, usage permits and other fees. Since 2017, dozens of municipalities have had to tell their residents that their personal data had been swept up in breaches targeting the payment platform. Click2Gov’s publisher, CentralSquare Technologies, has previously said that any vulnerabilities were tied to an Oracle application server that some customers used to run the platform. As many as 6,000 local governments across the United States use Click2Gov, though some breach victims have started turning to other providers.

But according to TrendMicro, there’s no evidence directly linking the recent Magecart-style attacks to incidents in 2018 and 2019. Still, five of the eight cities analyzed had been victims of previous Click2Gov breaches.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed was the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He wrote extensively about ransomware, election security and the federal government’s role in assisting states and cities with information security.

Latest Podcasts