IRS-Authorized eFile.com Compromised; Serves JavaScript Malware to Taxpayers

Users of a certain e-file software service provider should be on the lookout for malware.

Security researchers recently confirmed that eFile.com is compromised and caught serving JavaScript (JS) malware to people visiting it.

The e-file software service provider no longer distributes malware to people visiting it for their IRS tax returns as of press time.

eFile.com JS Malware Distribution Details

Security researchers from MalwareHunterTeam discovered that the authorized e-file software service provider eFile.com was compromised at least around mid-March and was still uncleaned until today, per the team's Twitter account.

Take note: this incident specifically concerned eFile.com and is not identical sounding domains or the IRS'e-file infrastructure.

According to the team and a Reddit user's post on the r/Scams subreddit, any attempt to load eFile.com appears to redirect to a fake "Network Error" page. It claims that a browser update is required to access the site. It then provides a link to download an application called "installer.exe" or "update.exe," depending on which browser was used to open the site.

This prompt to download and install a fake browser update is due to the "update.js" JS file, which prompts users to download either of the two malware files to embed the threat actor's malware into their computers, per Bleeping Computer. As such, eFile.com users who used Chrome to open the website would be prompted to download update.exe, while Firefox users would get insteller.exe.

The installer and update files had a malicious JS code injected called "popper.js." the code attempts to load JS that could prevent caching and load a fresh copy of the malware every time affected users visit eFile.com should the threat actor or cybercriminal make any changes to it.

Bleeping Computer independently confirmed that the malware's binaries establish a connection to a Tokyo-based IP address that appears to be hosted with Alibaba. Meanwhile, MalwareHunterTeam further analyzed the binaries and discovered they contained Windows botnets written in PHP.

For those unaware, a botnet is capable of connecting infected computers together to form a network for the threat actor to use in coordinated criminal actions like email spam, DDoS attacks, and targeted intrusions, per Palo Alto Networks.

They also called out eFile.com for leaving the malicious code on its website for weeks until the public noticed the mistake. The company overseeing the website has yet to address the malware incident as of press time.

Tax Return Filing Season

Catching eFile.com distributing malware among its visitors came at a crucial time, when people are wrapping up their IRS tax returns before the Apr. 18 due date. With the number of people filing their IRS tax returns during this period, there's no telling how many people are affected by the malware.

Unfortunately, there is no indication that the malware has successfully infected any of eFile.com's visitors and customers, preventing anyone from knowing the full scope of the incident.

Thankfully some antivirus products can recognize the malware from the executable files as trojan horses, removing them from an affected user's computer entirely.

© 2024 iTech Post All rights reserved. Do not reproduce without permission.

Tags IRS Malware

More from iTechPost

Real Time Analytics