IRS-Authorized Tax Service eFile Contains Malicious Link

Tyler Cross Tyler Cross

While filing your taxes online can help make the whole process a lot easier, a threat actor has been using eFile, an IRS-authorized tax service, to trick users into downloading malware onto their devices.

Security researchers discovered that eFile was breached by hackers, who hid malicious code in the website. The code was an insidious JavaScript file denoted as “popper.js,” and loaded up a false error message on nearly every page of the website.

The false error message warned users that the page couldn’t be reached and provided users with a link to update their browser. This “update” contains a hidden malicious code that prompts users to download another file called “update.exe.” This second download is what contains the bulk of the malware.

What’s unique about popper.js is that it uses obfuscated code to hide a connection to infoamanewonliag[.]online, which was registered on VirusTotal on March 12 and had its last update on March 17. It’s the same day that users on Reddit began making posts addressing concerns they had about eFile’s sudden SSL error messages that would pop up on their screens. The IP address of this connection is also hosted on Alibaba.

Since the code wasn’t detected until April 1, this means the malware had several weeks to infect people’s devices. Back in January, the LockBit ransomware gang claimed to have hacked eFile. Though there was seemingly no attack, it may explain how a group was able to carefully organize an extensive but subtle attack on the website.

Threat actors took advantage of the implicit trust users had in an IRS-backed service and unfortunately, there’s no way to determine the full scope of the situation, how many users were affected, or exactly what the threat actors obtained. The public should know more once eFile releases a statement about the situation.

About the Author

About the Author

Tyler is a writer at SafetyDetectives with a passion for researching all things tech and cybersecurity. Prior to joining the SafetyDetectives team, he worked with cybersecurity products hands-on for more than five years, including password managers, antiviruses, and VPNs and learned everything about their use cases and function. When he isn't working as a "SafetyDetective", he enjoys studying history, researching investment opportunities, writing novels, and playing Dungeons and Dragons with friends."