Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Swipe Card Numbers From Local Government Payment Portals (zdnet.com)

Posted by msmash on from the security-woes dept.

A previously unknown hacker group is behind a mounting number of breaches that have been reported by local governments across the US. From a report: In a report published today, US cyber-security vendor FireEye has revealed that this yet-to-be-identified hacker group has been breaking into Click2Gov servers and planting malware that stole payment card details. Click2Gov is a popular self-hosted payments solution, a product of US software supplier Superion. It is sold primarily to US local governments, and you can find a Click2Gov server installed anywhere from small towns to large metropolitan areas, where it's used to handle payments for utility bills, permits, fines, and more.

FireEye says this new hacker group has been attacking Click2Gov portals for almost a year. The company's investigators believe hackers are using one or more vulnerabilities in one of Click2Gov's components --the Oracle WebLogic Java EE application server-- to gain a foothold and install a web shell named SJavaWebManage on hacked portals. Forensic evidence suggests the hackers are using this web shell to turn on Click2Gov's debug mode, which, in turn, starts logging payment transactions, card details included.

15 comments

  1. Do they by Anonymous Coward · · Score: 0

    Also use processor names similar to trusted processors to social engineer their victims? At least Facebook has never been guilty of anything like that

  2. More reasons to use Privacy virtual cards. by Anonymous Coward · · Score: 1

    Yet another website hack stealing card info. This is why I use Privacy virtual debit cards wherever I can. Card number I used to pay my {name government fee/tax here} bill got hack? No worries, it was a burner card number anyway! Shameless referral link: https://privacy.com/join/JWVHW

    1. Re:More reasons to use Privacy virtual cards. by Anonymous Coward · · Score: 0

      Discover Card used to have this feature....1-time credit card number for online purchases.
      Good idea, till we run out of credit card numbers and have to implement credit card numbers IPv6

    2. Re:More reasons to use Privacy virtual cards. by Anonymous Coward · · Score: 0

      I see no reason they couldn't recycle numbers as long as it's an older number and has a different CCV and exp date the 2nd time.

  3. extra fees for online payments here... by Anonymous Coward · · Score: 4, Insightful

    nice to see those extra costs going to security of our payment information.

    we get charged like 3-10 dollars (scales-up by payment amount) to make a registration or tax payment online. this covers "costs" and merchant fees to handle the online payments so that the net payment is the same as an in-person cash payment. it's codified into state law to be that way, which completely ignores the cost savings from reduced labor costs, shortened dmv hours and closing of rural offices, etc. good thing, too. because of those extra costs, we pay the ~ 50c for the stamp and just mail the fucking things in instead, and hand-deliver payments for local taxes or county fees

    1. Re: extra fees for online payments here... by Anonymous Coward · · Score: 0

      I use my accountant for these things and it is very inexpensive and accurate. Of course, not everyone wants to have to talk to my accountant.

    2. Re:extra fees for online payments here... by bob4u2c · · Score: 1

      Same thing with state tax returns. You will let me electronic state file for like $20, or I can mail it in for less than $2, guess which one I'll choose (I also work just two blocks from the post office).

    3. Re:extra fees for online payments here... by magarity · · Score: 2

      we get charged like 3-10 dollars (scales-up by payment amount) to make a registration or tax payment online

      My state used to do that but came to its senses. Complain (politely) to your state level congresscritter at "town hall" meetings until your state fixes it too.

    4. Re:extra fees for online payments here... by StormReaver · · Score: 1

      I write and maintain credit card processing software (among other things). The card processing companies charge a percentage of the purchase price as a fee to process the card transaction. Many government entities are forbidden by law from using taxpayer money to cover those fees, so they are passed on to the card holder. The government offices I know don't keep a penny of the fee, as it all goes to the processor.

  4. hackers! hacking! with hacks! by Anonymous Coward · · Score: 0

    Ayup, msmash trying too hard to be k-rad again. Result is complete irrelevance.

  5. Production "debug mode" to the rescue by MTEK · · Score: 2

    I would like a word with that developer.

    1. Re:Production "debug mode" to the rescue by Anonymous Coward · · Score: 0

      Nah, I bet he or she is just as frustrated as you by this and it was management pushing a release that wasn't ready due to unrealistic timelines and insufficent budget for proper development and debugging.

      i.e. the whole industry.

  6. Story by sadafba786 · · Score: 1

    Yes I've read a similar story at https://www.thecyberforum.com/...

    1. Re: Story by fifi320 · · Score: 1

      guess which one I'll choose (I also work just two blocks from the post office). https://8ballpool.onl/ https://discord.software/ https://omegle.onl/

  7. US software supplier Superion by Anonymous Coward · · Score: 0

    Superion... I'm dying....