{ "id": "896e081b-49ed-4e28-bdf8-1f818a7de549", "created_at": "2026-04-06T00:08:36.830171Z", "updated_at": "2026-04-10T13:12:23.576174Z", "deleted_at": null, "sha1_hash": "b7f1af0c0248ab7106bef87fea76007eda734981", "title": "New Magecart Attack TargetUS Local Government Services", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53398, "plain_text": "New Magecart Attack TargetUS Local Government Services\r\nBy By: Joseph C Chen Jun 26, 2020 Read time: 3 min (836 words)\r\nPublished: 2020-06-26 · Archived: 2026-04-05 12:42:56 UTC\r\nEight cities across three states in the United States have fallen victim to a Magecart card skimming attack. In these\r\nattacks, their websites were compromised to host credit card skimmers which passed on the credit card\r\ninformation of residents to cybercriminals.\r\nThese sites all appear to have been built using Click2Gov, a web-based platform meant for use by local\r\ngovernments. It is used to provide services such as community engagement, issues reporting, and online payment\r\nfor local goverments. Residents can use the platform to pay for city services, such as utilities. Breaches in these\r\nsites, however, are not new: In 2018 and 2019, the websites of several towns and cities using Click2Gov were\r\ncompromised.\r\nintel\r\nFigure 1. Credit card skimming attack chain\r\nOur research identified eight cities whose websites had been compromised with a JavaScript-based skimmer, as\r\nexpected from a Magecart attack. The information exfiltrated included:\r\nCredit card information (card number, expiration date, CVV)\r\nPersonal information (Name and contact address)\r\nOur analysis of both the skimmer and the infrastructure used could not find any connections between this breach\r\nand the incidents in 2018 and 2019. Nevertheless, five of the eight cities were also affected in the previous\r\nbreaches; we believe that these attacks started on April 10 of this year, and are still active.\r\nAnalysis of the card skimming attack\r\nThe attack occurs when victims make an online payment on the compromised Click2Gov website. JavaScript code\r\nwas injected into the payment page which loads a credit card skimmer when victims browse the payment page.\r\nUnlike other skimmers which grab data on various types of payment forms, the skimmer used here is rather simple\r\nand only works on a Click2Gov payment form. No obfuscation or anti-debugging techniques were used. The\r\nskimmer hooks the submit event of the payment form; when a victim clicks the button to send the payment\r\ninformation, the skimmer will grab the information from the selected columns inside the payment form and\r\nimmediately send the collected information to remote server via a HTTP POST request.\r\nintelFigure 2. Screenshot of credit card skimmer injected on Click2Gov payment page\r\nExfiltrated Data Type Targeted Column ID Exfiltration Request Schema\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/\r\nPage 1 of 3\n\nCredit card number accountNumber accountNumber\r\nCredit card CVV number cvv2 cvv\r\nCredit card expiration year expirationDate.year year\r\nCredit card expiration month expirationDate.month month\r\nCredit card expiration date expirationDate.date date\r\nFirst name of cardholder firstName firstName\r\nMiddle name of cardholder middleInitial middleInitial\r\nLast name of cardholder lastName lastName\r\nContact address 1 contact.address1 address1\r\nContact address 2 contact.address2 address2\r\nCity of contact address contact.city city\r\nState of contact address contact.state State\r\nZip code of contact address contact.zip ZipCode\r\nTable 1. Details of exfiltrated information\r\nWe were able to identify two of the exfiltration servers used in the attack. Both hosted the actual JavaScript\r\nskimmer, as well as a .JSP file used to receive the exfiltrated data. One of the servers was used for three sites,\r\nwhile the other server used for the remaining five sites. The two skimmers used are identical, save for the change\r\nin the hostname of the exfiltration servers.\r\nintelFigure 3. Screenshot of the credit card skimmer script\r\nintelFigure 4. Example of exfiltration request\r\nBackground and attribution\r\nClick2Gov has been hit by various breaches and attacks in the past. CentralSquare Technologies, its developer,\r\nreleased a 2018 statement concerning security issues on various locally hosted sites. Other researchers uncovered\r\na breach of around 300,000 records from Click2Gov sites\r\nClick2Gov at the end of that year. Another 2018 report showed a similar case where a site built using Click2Gov\r\nwas targeted by an attacker to exfiltrate credit card information from its users. In 2019, another breach was\r\ndiscovered, where it became apparent that data from eight cities was being sold in the underground market.\r\nIt is not clear at this time if this attack which we identified is connected to the earlier breaches, since nothing about\r\ntheir technical details indicate a connection. The only connection is that five of the affected cities in the current\r\nincident were also affected in 2018; while two were included in the 2019 incident.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/\r\nPage 2 of 3\n\nConclusion\r\nCredit card skimming attacks are still a major threat to online merchants. Victims not limited to only typical e-commerce sites. During 2019, we also saw that academic institutions and hotel chains were targeted by similar\r\nattacks. This time, the attacker targeted the websites of various local governments. This shows the importance of\r\nkeeping payment portals secure to protect both an organization and its customers.\r\nThe following Trend Micro solutions protect users and businesses by blocking the scripts and preventing access to\r\nthe malicious domains:\r\nTrend Micro™ Securityproducts\r\nSmart Protection Suitesproducts and Worry-Free™ Business Security\r\nTrend Micro Network Defenseproducts\r\nHybrid Cloud Securityproducts\r\nIndicators of Compromise (IOCs)\r\nSHA256 Hash/URL Type\r\n99840885c7f248779838b08559a9f3feb16e646fad7a3d36015e4b4ca4b4173b\r\n \r\nCredit Card Skimmer\r\n(detected as\r\nTrojanSpy.JS.MAGECART.G)\r\na7db455dc25d107caf8f74f7d4c492541c5d37c38bf68604a6e85b06b61af26a\r\nCredit Card Skimmer\r\n(detected as\r\nTrojanSpy.JS.MAGECART.G)\r\nhttps[:]//cdns-static[.]com/recurring.js Credit Card Skimmer URL\r\nhttps[:]//renew-analytics[.]com/recurring.js Credit Card Skimmer URL\r\nhttps[:]//cdns-static[.]com/validate/index.jsp Exfiltration URL\r\nhttps[:]//renew-analytics[.]com/validate/index.jsp Exfiltration URL\r\ncdns-static[.]com Credit Card Skimmer Domain\r\nrenew-analytics[.]com Credit Card Skimmer Domain\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skim\r\nming-attack/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/" ], "report_names": [ "us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack" ], "threat_actors": [ { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434116, "ts_updated_at": 1775826743, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b7f1af0c0248ab7106bef87fea76007eda734981.pdf", "text": "https://archive.orkl.eu/b7f1af0c0248ab7106bef87fea76007eda734981.txt", "img": "https://archive.orkl.eu/b7f1af0c0248ab7106bef87fea76007eda734981.jpg" } }