2
IRS-Authorized eFile.com Tax Return Software Caught Serving JS Malware - Slashdo...
source link: https://it.slashdot.org/story/23/04/04/2051239/irs-authorized-efilecom-tax-return-software-caught-serving-js-malware
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
IRS-Authorized eFile.com Tax Return Software Caught Serving JS Malwarebinspamdupenotthebestofftopicslownewsdaystalestupid freshfunnyinsightfulinterestingmaybe offtopicflamebaittrollredundantoverrated insightfulinterestinginformativefunnyunderrated descriptive typodupeerror
Do you develop on GitHub? You can keep using GitHub but automatically sync your GitHub releases to SourceForge quickly and easily with this tool so your projects have a backup location, and get your project in front of SourceForge's nearly 30 million monthly users. It takes less than a minute. Get new users downloading your project releases today!Sign up for the Slashdot newsletter! or check out the new Slashdot job board to browse remote jobs or jobs in your area.
×
eFile.com, an IRS-authorized e-file software service provider used by many for filing their tax returns, has been caught serving JavaScript malware. BleepingComputer reports: eFile.com was caught serving malware, as spotted by multiple users and researchers. The malicious JavaScript file in question is called 'popper.js'. The development comes at a crucial time when U.S. taxpayers are wrapping up their IRS tax returns before the April 18th due date. BleepingComputer can confirm, the malicious JavaScript file 'popper.js' was being loaded by almost every page of eFile.com, at least up until April 1st. As of today, the file is no longer seen serving the malicious code.
On March 17th, a Reddit thread surfaced where multiple eFile.com users suspected the website was "hijacked." At the time, the website showed an SSL error message that, some suspected, was fake and indicative of a hack. Turns out that's indeed the case. [...] The malicious JavaScript file 'update.js', further attempts to prompt users to download next stage payload, depending on whether they are using Chrome [update.exe - VirusTotal] or Firefox [installer.exe - VirusTotal]. Antivirus products have already started flagging these executables as trojans.
BleepingComputer has independently confirmed these binaries establish a connection to a Tokyo-based IP address, 47.245.6.91, that appears to be hosted with Alibaba. The same IP also hosts the illicit domain, infoamanewonliag[.]online associated with this incident. Security research group, MalwareHunterTeam further analyzed these binaries, and stated that these contain Windows botnets written in PHP -- a fact that the research group mocked. Additionally, the group called out eFile.com for leaving the malicious code on its website for weeks: "So, the website of [efile.com]... got compromised at least around middle of March & still not cleaned," writes MalwareHunterTeam.
On March 17th, a Reddit thread surfaced where multiple eFile.com users suspected the website was "hijacked." At the time, the website showed an SSL error message that, some suspected, was fake and indicative of a hack. Turns out that's indeed the case. [...] The malicious JavaScript file 'update.js', further attempts to prompt users to download next stage payload, depending on whether they are using Chrome [update.exe - VirusTotal] or Firefox [installer.exe - VirusTotal]. Antivirus products have already started flagging these executables as trojans.
BleepingComputer has independently confirmed these binaries establish a connection to a Tokyo-based IP address, 47.245.6.91, that appears to be hosted with Alibaba. The same IP also hosts the illicit domain, infoamanewonliag[.]online associated with this incident. Security research group, MalwareHunterTeam further analyzed these binaries, and stated that these contain Windows botnets written in PHP -- a fact that the research group mocked. Additionally, the group called out eFile.com for leaving the malicious code on its website for weeks: "So, the website of [efile.com]... got compromised at least around middle of March & still not cleaned," writes MalwareHunterTeam.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK