An IRS-authorized tax preparation site, eFile.com, was secretly delivering malware to visitors for weeks, according to security researchers and users.
Evidence shows that eFile.com was using a fake “This site can’t be reached” pop-up to carry a link to malware disguised as a program called “update.exe,” according(Opens in a new window) to Johannes Ullrich, a security researcher at the SANS Technology Institute.
This means hackers likely managed to tamper with the eFile.com website during tax season. Since at least March 17, the site has been rigged to load a malicious javascript file, “popper.js,” which can generate the fake network error pop-up page.
The fake network error pop-up page appearing on eFile.com.
(Credit: Reddit)
“The page looks very much like a legitimate browser error stating, ‘The current version of your browser uses an unsupported protocol. Click on the below link to update your browser,’” Ullrich noted. But while the update.exe program is designed to look innocuous, antivirus scans(Opens in a new window) indicate the program is actually a Windows-based Trojan.
Security researchers at MalwareHunterTeam also analyzed update.exe, and described(Opens in a new window) it as a “Windows targeting malware,” possibly created to power a botnet, or an army of infected computers.
In addition, MalwareHunterTeam traced the threat back to a Reddit post(Opens in a new window) from March 17, which shows a user reporting the fake network error page appearing on eFile.com. “All of this suggests that the site is compromised and is being used to distribute malware,” the Reddit user wrote at the time.
In the same thread, another user chimed in and noted(Opens in a new window): “It only prompts the security warning when it detects it’s being viewed on a Windows machine.”
Recommended by Our Editors
EFile.com didn’t immediately respond to a request for comment, so we don’t have a lot of details about what happened. But according(Opens in a new window) to Ullrich, eFile.com has been updated to remove the popper.js Javascript from the site.
Still, the hack raises concerns that eFile.com may have suffered a larger breach involving user data. Tax preparation providers hold a wealth of sensitive information on their customers, which can include Social Security numbers, birth dates, and addresses—all data that could be used for identity theft schemes.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Hits: 0
