Click2Gov Update: ICYMI Here’s The Latest

online payments

It’s been three months since our original post was published and as feared, breaches of the Click2Gov system continue to be reported. Here is what we’ve learned:

  • Attackers are exploiting an unpatched vulnerability in Oracle’s WebLogic. Early on, we speculated whether the problem was with the Click2Gov application itself and whether it impacted the cloud-based version of the system. It has since come to light that only local installations are at risk. Attackers are gaining access to application servers due to a known vulnerability in WebLogic and escalating the attack from there.

Few other details about the attack methods have come to light. That said, one intriguing detail has remained consistent –  only one-time payments are at risk. Data for customers with auto-pay enabled has not been exposed. That does make us wonder if there is another weakness in play, perhaps associated with the form or page used to enter payment information.

  • Nine more incidents involving Click2Gov installations have come to light. The targets include:
    • City of Waco, TX – On January 10, 2018 Waco disclosed a lack of encryption which led to a compromise of credit card details after water bills were paid online. This one slipped by our original post, as there was no mention of Click2Gov and the description varied somewhat from the others. After digging more, the URL for the payment portal revealed the service involved: https://c2g.ci.waco.tx.us/Click2GovCX/.
    • City of Lake Worth, FL – On June 14, 2018 journalists investigating the breach at the Village of Wellington reported that Lake Worth, located a short drive east of Wellington, had also been compromised. Although the breach only came to light this June, it appears Lake Worth was an early target, with the incident beginning around April 3, 2017. That would make Lake Worth the first organization confirmed to have their Click2Gov installation breached.
    • City of Midwest City, OK – At the same time the City of Thousand Oaks was under attack, Midwest City was also being breached. Unfortunately, unlike Thousand Oaks which discovered the compromise in February of this year, the incursion into Midwest City’s installation – which started on December 11, 2017 –  lasted until June 21, 2018.
    • City of Midland, TX – In a near carbon copy of the Midwest City breach, Midland  was first compromised on or around December 1, 2017. The incident was discovered concurrently as well, on June 21, 2018.
    • City of Bozeman, MT – On July 16, 2018 Bozeman announced that customers using their Click2Gov installation between July 1, 2017 and October 24, 2017 had their payment card information compromised. Curiously, the city first became aware of the problem in the Fall of 2017, when customers started reporting fraudulent charges popping up after paying their utility bills online. At that time Bozeman hired a forensic firm to assist with the investigation but could find no evidence payment card data was taken. On July 3, 2018, Superion reached out to the city informing – or more accurately confirming – their installation had been compromised.
    • City of Medford, OR – On July 23, 2018 Medford announced they had been breached, with malware capturing customer payment details from February 18, 2018 to March 14, 2018 and again between March 29th and April 16, 2018. Like so many other cities, the compromise was first identified when fraudulent charges began appearing on customers’ accounts.
    • City of Bossier City, LA – On August 16, 2018 with very little fanfare and even less detail, Bossier City announced the system that allowed customers to pay their utility bills online may have been compromised. Although the notice made no mention of Click2Gov, it is clear from the payment portal URL who is behind the service: https://epayments.bossiercity.org/Click2GovCX/index.html. An announcement on the city’s website indicates the service will be unavailable until late October.
    • City of San Angelo, TX Water Utilities – On August 17, 2018 – one day after Bossier City’s announcement – the water utility service for San Angelo released an equally quiet statement that the city had temporarily suspended their Click2Gov platform due to reports from customers of suspicious card activity after paying bills online. Little else has been reported about this event.
    • City of Tyler, TX – On September 10, 2018, Tyler announced they had become the latest victim in the long string of attacks. Malicious actors gained access to their Click2Gov installation around June 18, 2018 – just 4 days after our original post. Like the others before them, the breach came to light after an external party, this time the Secret Service, reached out to officials informing them of suspicious activity.

In all, the Cyber Risk Analytics research team has linked 18 breaches targeting Superion’s Click2Gov service. With the City of Tyler coming forward just last week, it’s clear the campaign continues and it’s likely we’ll continue to see Click2Gov in the headlines. We’ll monitor the story and keep you updated as more information comes to light.