Since April 10, eight cities in three states using the Click2Gov web-based platform to collect payments for services have been hit with Magecart card-skimming attacks that still appear active.
Credit card information including card number, expiration date and CVV, as well as personal information such as name and contact address, were being exfiltrated from the municipalities, which were not named, according to a TrendMicro blog post.
However, five of the eight cities were also victims in Click2Gov attacks in 2018 and two of them had been skimmed in a similar 2019 attack.
Local governments typically use Click2Gov to allow residents to pay for such services as utilities, as well as provide an online platform for community engagement and issues reporting.
The latest attack, according to Trend Micro, underscores that credit card skimming schemes are not limited to e-commerce sites.
“Attackers are starting to invest in long-term operations that target specific processes enterprises rely on,” the post stated. “They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse.”
Central Square Technologies developed Click2Gov and, as of June 29, had not responded on its website about the reported compromise.