As many as 6,000 people who paid parking tickets online through the Saint John, N.B. municipal website may have had their names, credit card numbers, billing address and card verification number stolen, according to a security vendor. However, the city says it can’t confirm there ahs been a breach of its system.
Gemini Advisory said in a blog post Tuesday the Saint John victims were likely among at least 111,860 payment cards that were compromised at 46 North American cities using software from a company called Click2Gov, which provides a wide range of on-premises and cloud-based solutions for government departments — from allowing the payment of parking tickets and utility bills to document access.
Saint John is the only Canadian city identified.
UPDATE: On Dec.21 a spokesperson for the city said it is working with the software manufacturer and looking into the allegation. The manufacturer, CentralSquare Technologies, has been asked to do a forensic analysis to see if there are any vulnerabilities in the system. In the meantime the city’s Click2Gov installation has been taken offline. The city also said an earlier version of this story was wrong to say people paying building permit fees could have been victimized. While the Saint John website allowed people to apply for building permits, it didn’t allow payments.
“We have not been notified of a breach to our service. We’re trying to confirm that now,” the spokesperson said.
A spokesperson for Click2Gov’s parent company, Florida-based Central Square Technologies, could not be reached this morning for comment.
Gemini said the stolen payment cards were uploaded for sale either during the breach or immediately after the breach was identified and reported, with the average price of US$10 per card.
“As of this writing 294,929 payment records [from all 46 cities] were compromised, earning criminals at least $1.7 million dollars,” said the Gemini report.
Click2Gov’s parent company, then called Superion, acknowledged in 2017 that a “limited number of on-premise clients had identified suspicious activity” on servers that run Click2Gov product. This June it said that it had issued a patch to the on-prem software and “assisted customers in the application of patches related to a third-party component. At this time, we have no evidence showing that it is unsafe to make payments utilizing Click2Gov on hosted or secure on-premise networks with recommended patches and configurations,” the statement said.
It is believed the Gemini Advisory report is the first to put together information from several sources to indicates the size of Click2Gov-related breaches.
And, Gemini says the breaches are apparently continuing. “We’re still seeing fresh data uploaded,” Stanislav Aflorov, the company’s director of research and development, said in an interview. “As of this month, we saw 12,000 new records uploaded.” That makes Gemini suspect attackers have found another vulnerability.
One of the most recent victims was the city of Topeka, Kan. According to a report from a local news outlet, the city was told by Central Square earlier this month it might have been the victim of a data breach. At the time the city thought some 10,000 people paying bills between Oct. 30 and Dec. 1 might have been affected.
Security vendor FireEye detailed the problems with Click2Gov in a Sept. 19 report that outlined a campaign this year targeting web payment portals that involve on-premise installations of Click2Gov. After looking at compromised systems FireEye suspects the attacker likely used an exploit targeting Oracle Web Logic to compromise on-premise Click2Gov web servers. Then an SJavaWebManage webshell was uploaded, through which the attacker enabled debug mode in a Click2Gov configuration file causing the application to write payment card information to plaintext log files. After uploading a tool the log files were parsed to retrieve payment card information. The attacker used another tool to intercept payment card information from HTTP network traffic.
Aflorov said Gemini Advisory’s investigation began during a scan through an underground market selling personal data and noticed “very centralized pockets” of credit cards up for sale. In other words, rather than a pile of cards spread across North America, there were groups from a small number of cities. Researchers realized these coincided with news reports of breaches from these cities who used Click2Gov. “Additional analysis led to an understanding that this was not just a one-off instance of one city got breached and that’s it,” Aflorov said. “We started seeing five, 10, 15 (cities), and we very quickly identified over 46 cities in total.”
Gemini purchased some sample records to confirm they were related to utility payments. It also spoke to a number of financial institution partners who said they had seen a similar pattern though chargebacks they had to issue.
Aflorov said 10,000 Canadian credit cards were identified among its sample. Of those, about 60 per cent came from the Saint John area.
Both Gemini and FireEye say their investigations show the importance of being aware of and installing patches as soon as possible. FireEye also recommends IT departments consider implementing a file integrity monitoring solution to monitor the static content and code that generates dynamic content on e-commerce web servers for unexpected modifications. It also reminds CISOs to ensure any web service accounts run at least privilege.