Local Government Services Using Click2Gov Targeted in Skimming Attacks

Summary

A new wave of Magecart attacks has been discovered targeting local governments across the US via Click2Gov – a web-based platform used to process online payments for services such as utilities. Currently, eight undisclosed government websites using the payment platform were compromised using a JavaScript-based skimmer beginning April 10, 2020, and, according to researchers, the campaign is still active. The skimmer hooks the submit feature of the payment form, sending payment information to a remote server via an HTTP POST request. This is not the first time Click2Gov has been compromised and, though this attack does not appear to be connected, seven of the eight impacted cities were victims of previous attacks.

Recommendations

The NJCCIC recommends organizations that utilize the Click2Gov platform to monitor their systems for malicious activity. Additionally, website administrators are urged to use only vetted first-party code, ensure hardware and software is up to date, use a web application firewall (WAF) to block and alert for potential code injection attacks, block unauthorized transmission of personal data by implementing a Content Security Policy (CSP), and schedule routine website scans to identify changes in JavaScript code composition. Technical details and Indicators of Compromise (IoCs) can be found in the Trend Micro blog post.