In August 2017, Click2Gov software, a payment technology widely used by local governments to process utility payments, was the victim of a breach in which Oceanside, California, was the first in a long line of compromised municipalities. Many of the payment cards stolen from the compromised records are now likely being sold in underground marketplaces, according to Gemini Advisory.
During its routine monitoring of dark web marketplaces that sell compromised payment card data, Gemini Advisory noted “an out-of-pattern concentration of victims located in small-to-medium US cities. Further analysis of the card data linked to these locations and collaboration with partner banks have determined that records [have] likely been stolen from local municipal services that license Click2Gov software.”
According to Gemini Advisory’s blog post by Stas Alforov, there have been 46 confirmed compromised locations across the US with an additional location reported in Canada. At the time Gemini Advisory conducted its research, 294,929 payment records had reportedly been stolen. From those criminals have earned at least $1.7 million. Click2Gov's parent company, Superion, has made efforts to deploy patches, yet the software remains vulnerable, and three additional municipalities have reportedly been breached since October 2018.
Dozens of municipalities have reported instances of the Click2Gov breach, with at least 111,860 payment cards compromised. Those stolen cards were then uploaded and reportedly sold on the dark web for an average of $10 per card, and “breached payment card data was linked to over 1000 financial institutions, with 65% of stolen records associated with the top 20 affected banks,” Alforov wrote.
"In addition to Click2Gov payment records being sold on the dark web, we can also assume that the associated account login credentials – name and password pairs – were also for sale,” said Franklyn Jones, CMO, Cequence.
“So these nearly 300,000 credentials will likely be acquired for secondary bot attacks designed to gain unauthorized access to accounts on other web applications. And bot attacks, which are becoming more pervasive, are typically successful 10% of the time, which can lead to additional account takeover, financial fraud and business disruption."