IRS-approved tax filing site eFile.com found delivering malware to users for a week

SECURITY

A U.S. Internal Revenue Service-approved tax filing site called eFile.com has been found to be delivering malware to users for weeks.

Suspicions that the site was serving malware first appeared on Reddit on March 18, with confirmation provided by security researcher Johannes Ullrich on April 3. Users reported that while using the site, they were presented with a file called “update.exe.”

Ullrich said that he was confirmed that those behind the attack were trying to infect users with popper.js malware. The malware generates a fake network error pop-up page, which according to Ullrich, “looks very much like a legitimate browser error.” The page in question tells users that “the current version of your browser users an unsupported protocol” before telling them to “click on the link to update your browser.” The link is to update.exe and the popper.js malware.

Popper.js was found to be a “Windows targeting malware,” although its exact endgame is open to dispute, with some suggestions that it wasn’t stealing data but trying to build a botnet. Either way, having malware served on a tax filing site is never a good thing.

According to Bleeping Computer today, the file was still being presented to users on almost every page of eFile.com until April 1, meaning there was around a two-week window in which the site was infected. Although eFile.com has yet to provide a public comment, popper.js has been removed from the site.

“It is quite concerning that a major website had code changes, or code inserted, without authorization,” Timothy Morris, chief security adviser at endpoint management firm Tanium Inc., told SiliconANGLE. “It can be difficult at times to determine if a trusted site, or component, has been compromised from the user’s perspective. However, there were several suspicious behaviors that led to this being discovered.”

The incident boils down to the immaturity of processes necessary to keep the site secure, he added. “This is by no means a unique situation,” Morris said. “Many organizations either don’t have the resources or expertise to fully grasp what applications and devices have access to their network or have sufficient control to restrict who can make changes, which can lead to detrimental security gaps.”

Image: Quote Inspector