Users of a certain e-file software service provider should be on the lookout for malware.
Security researchers recently confirmed that eFile.com is compromised and caught serving JavaScript (JS) malware to people visiting it.
The e-file software service provider no longer distributes malware to people visiting it for their IRS tax returns as of press time.
eFile.com JS Malware Distribution Details
So, the website of @efile (efile[.]com), "is an IRS authorized e-file provider" got compromised at least around middle of March & still not cleaned.
Someone noticed it on March 17th: https://t.co/sNu5gRyeeW
Samples given on the 17th are still close to FUD even today.
cc @cyb3rops pic.twitter.com/DOEaMRvQOo— MalwareHunterTeam (@malwrhunterteam) April 3, 2023
Security researchers from MalwareHunterTeam discovered that the authorized e-file software service provider eFile.com was compromised at least around mid-March and was still uncleaned until today, per the team's Twitter account.
Take note: this incident specifically concerned eFile.com and is not identical sounding domains or the IRS'e-file infrastructure.
According to the team and a Reddit user's post on the r/Scams subreddit, any attempt to load eFile.com appears to redirect to a fake "Network Error" page. It claims that a browser update is required to access the site. It then provides a link to download an application called "installer.exe" or "update.exe," depending on which browser was used to open the site.
This prompt to download and install a fake browser update is due to the "update.js" JS file, which prompts users to download either of the two malware files to embed the threat actor's malware into their computers, per Bleeping Computer. As such, eFile.com users who used Chrome to open the website would be prompted to download update.exe, while Firefox users would get insteller.exe.
Read More: What are the Pros and Cons of Tankless Water Heaters - Is It Worth Your Money?
The installer and update files had a malicious JS code injected called "popper.js." the code attempts to load JS that could prevent caching and load a fresh copy of the malware every time affected users visit eFile.com should the threat actor or cybercriminal make any changes to it.
Bleeping Computer independently confirmed that the malware's binaries establish a connection to a Tokyo-based IP address that appears to be hosted with Alibaba. Meanwhile, MalwareHunterTeam further analyzed the binaries and discovered they contained Windows botnets written in PHP.
For those unaware, a botnet is capable of connecting infected computers together to form a network for the threat actor to use in coordinated criminal actions like email spam, DDoS attacks, and targeted intrusions, per Palo Alto Networks.
They also called out eFile.com for leaving the malicious code on its website for weeks until the public noticed the mistake. The company overseeing the website has yet to address the malware incident as of press time.
Tax Return Filing Season
Catching eFile.com distributing malware among its visitors came at a crucial time, when people are wrapping up their IRS tax returns before the Apr. 18 due date. With the number of people filing their IRS tax returns during this period, there's no telling how many people are affected by the malware.
Unfortunately, there is no indication that the malware has successfully infected any of eFile.com's visitors and customers, preventing anyone from knowing the full scope of the incident.
Thankfully some antivirus products can recognize the malware from the executable files as trojan horses, removing them from an affected user's computer entirely.
Related Article: Tax Refund Delays: 5 Steps to Follow to Get Your Refund Fast!
