Malware that skims credit card details poisons the websites of eight US cities

What do they have in common? The Click2Gov online utility payment system

Websites of eight US cities poisoned by malware skimming the credit card details of residents

Beware if you’re paying your bills for local government services – the payment information you type into that web form may be heading straight to cybercriminals.

Security experts at Trend Micro report that they have identified eight cities in the USA where online payment portals have been compromised to host Magecart-style credit card skimming code.

Magecart is a family of Javascript malware used to steal credit card details and personal information from unsuspecting internet users as they interact with websites – often as sensitive details are entered to make a purchase.

What makes this type of attack often more serious than a conventional data breach, is that most companies do not store your full credit card details, such as your CVV security code. But those details are entered on online checkout forms by consumers, and can be stolen by a malicious script hidden in the website’s code.

As Trend Micro explains, the common factor between the affected websites they have uncovered is that they all use the third-party Click2Gov platform:

These sites all appear to have been built using Click2Gov, a web-based platform meant for use by local governments. It is used to provide services such as community engagement, issues reporting, and online payment for local goverments. Residents can use the platform to pay for city services, such as utilities.

According to the researchers, the attacks against the eight unnamed US cities started in April, when malicious Javascript code was planted on the websites, silently harvesting credit card details and residents’ personal information as they entered it into online payment forms.

Credit card skimming attack chain
Credit card skimming attack chain. Source: Trend Micro.

Unlike other skimmers which grab data on various types of payment forms, the skimmer used here is rather simple and only works on a Click2Gov payment form. No obfuscation or anti-debugging techniques were used. The skimmer hooks the submit event of the payment form; when a victim clicks the button to send the payment information, the skimmer will grab the information from the selected columns inside the payment form and immediately send the collected information to remote server via a HTTP POST request.

Details exfiltrated by the script to a remote server under the hackers’ control included credit card numbers, CVV security codes, card expiry dates, cardholder’s name, address, and postal code.

Simple the skimming code might be, but that doesn’t mean it’s not effective.

Sign up to our free newsletter.
Security news, advice, and tips.

Rightly or wrongly, Click2Gov is earning itself a bad reputation. In recent years security researchers have been tracking attacks launched against the Click2Gov payment portal, with reports of breaches involving city websites stretching across the United States and Canada.

Late last year, for instance, the city of College Station admitted its Click2Gov online utility payment system had been hacked for some months, as had the City of Waco’s Click2Gov portal for water bill payments.

The onus is on cities to follow best practices when building and maintaining its online payment systems, ensuring that patches and security updates are applied in a timely fashion and that networks are properly secured.

Meanwhile, other websites with payment forms online would be wise to remember that credit-card skimming attacks are not limited to local governments taking payments from residents.

Magecart-style attacks have been seen hitting a diverse range of victims, including hotel chain booking websites, academic campuses, as well as the likes of Ticketmaster, British Airways, Forbes, Umbro, Vision Direct, and Newegg.

If you’re making online purchases (and hey, these days, who isn’t?) you might want to investigate disposable virtual payment cards, so you’re never exposing your real life credit card to the websites to which you are making a payment. A virtual card could be locked to a single merchant, have a limited amount that can be used in a single payment, or be single-use.

There is more discussion of virtual credit cards in this episode of the “Smashing Security” podcast:

Smashing Security #182: 'Space Force, credit card fraud, and beep-ti-beep'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.