IRS-authorized tax service eFile was found sending out malware

eFile was hijacked to send out malware for weeks

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

IRS-authorized tax service eFile.com appears to have been hijacked and used to distributemalware, researchers have found.

The website hosts an e-file software solution, authorized by the Internal Revenue Service (IRS), that offerstax returns filing services.

As reported by multiple security teams as well as customers, a threat actor managed to compromise the website in mid-March 2023, injecting a malicious JavaScript file called “popper.js”. This file was present on practically all of the pages of the site, and it tried to get visitors to download a second-stage payload.

Protecting your business from the biggest threats onlinePerimeter 81’s Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?)

Full control

The payload is a Windows botnet written in PHP. There are different versions, depending if the visitors are using Chrome, or Firefox. Most antivirus programs are now flagging the botnet as a trojan, and the website stopped serving them as of April 1. Its key functionality is giving the attackers full access to the target endpoint, which they can later use for further attacks, as well as lateral movement across the target network. Further attacks could see them deploy malware, infostealers, or even ransomware.

While the researchers did not yet determine exactly who was behind the attack, it was found that the two versions try to establish a connection to an IP address based in Tokyo, apparently hosted with Alibaba. The same IP address was also found hosting a different illicit domain.

Microsoft OneNote is being fixed after surge in malware>Microsoft OneNote is still being used to flood devices with malware>Check out the best identity theft protection software right now

It’s difficult to assess how many people got compromised as a result of this campaign. The full scope of the incident remains to be seen.

The news is particularly concerning as it is currentlytaxfiling season in the United States, where consumers and businesses have until April 18 to file their tax returns. It is an event that cybercriminals often use as a starting point for their activities. Sometimes, they’d assume other people’s identities and file taxes on their behalf, in order to steal the money. In other scenarios, they’d impersonate the IRS and try to send out malware via email.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time