IRS-Authorized eFile.com Has Exposed Some Wyomingites’ Computers To Malicious Trojan Horse Virus 

Cyber security researchers have discovered that popular IRS-authorized site, eFile.com, has been placing malware onto users’ computers. Anyone who visited eFile.com from March 17 through April 4 should assume exposure, and act accordingly, Wyoming cybersecurity experts say. 

RJ
Renée Jean

April 05, 20236 min read

Malware 4 5 23

Theres only a couple weeks left until this year's April 18 tax deadline, and demand for easy tax preparation sites is at or near peak traffic. 

In the midst of the last-minute tax rush, cyber security researchers have discovered that a popular IRS-authorized site, eFile.com, has been placing malware onto users' computers since March 17, and continued to do it through the morning of April 4, when researchers reported the malicious code was finally removed from the site. 

A blog post by SANS Internet Storm Center cyber researcher Johannes Ullrich is among the first to outline the problem in any detail online.  

According to his post, many Windows users reported a fake "This site cant be reached" pop-up, which offered one of two files, "update.exe" or "installer.exe," depending on a person's browser. 

While designed to look innocuous to the user, the executable files were actually a Windows-based Trojan. A Trojan refers to malicious code that can take over a user's computer. 

Assume Infection 

Wyomingites who used the eFile.com site between March 17 and the morning of April 4 should just assume that their system has been compromised and act accordingly, Rocky Mountain Cybersecurity CEO Elmer Robinson told Cowboy State Daily. That is true whether there was a popup or not. 

A malware scan would be a first step. According to Ullrich, the malicious files were initially being spotted only by Crowdstrike Falcon and Cynet, but that has since changed.  

"Over the last couple days, many anti-malware tools have added this malware to their signatures, and should be able to detect it by now," Ullrich told Cowboy State Daily in an email. "In particular, if users were redirected to an 'error' page, and asked to install a browser update, this is how the malware was installed on users systems." 

Robinson identified Sophos as another early detector. 

"Sophos is a product I've always felt pretty good about telling people about, and directing people toward," he added. "Their free product always scored really well in product evaluations where they put them up against viruses." 

Sophos offers an affordable product for homeowners for both Windows PCs and Macs.  

The home-level product uses essentially the same scanning engine as their enterprise-level product, Robinson said. 

High Traffic Exposure 

Many people were likely exposed to the malware hosted on eFile.com's website. 

Efile.com recorded 1.1 million visits in January, according to Simlarweb's most recent data. Similarweb tracks web traffic stats online.  

The malware in question worked via a malicious javascript file, "popper.js," which appeared to be testing systems first for Windows. If a system was operating Windows, it would then launch another script calling for an updated browser via the popup. 

The malware has so far only been reported appearing on eFile.com's website. While that site is IRS-authorized, the malware on it has not been reported as affecting any of the Internal Revenue Services e-file infrastructure.  

A call to the IRS to discuss the situation was not returned by the time this story was posted.  

It's not clear what the purpose of the virus exactly was. 

"Really, everything's possible keystroke loggers or backdoors the code is so small these days that just about anything is a possibility," Robinson said. 

Ullrich said it's impossible to tell who authored the hack, though he noted in his blog that some of the attack infrastructure is hosted with Alibaba in China, and that there are some Chinese comments in the code. 

No information was available on Efile.com's website Tuesday afternoon about the exposure. Cowboy State Daily used the site's web form to send a message to the company, requesting more details about the exposure. 

"The vendor is not very forthcoming with this kind of information," Robinson said. "If they were really, you know, reporting the way they should be, they would be telling us what happened, when the breach began, how many people were affected, and sending out alerts and notifying users." 

Tax Season Is Scam Season 

Tax season is a favorite time for con artists and hackers to target tax filing services and individuals with phishing scams, Robinson told Cowboy State Daily. 

"Every year during tax season, it's hard," Robinson said. "If you're a tax person and you're sitting there waiting for somebody to send you a document and they send you an email that says here's the document you've been waiting for, knowing that you're much more likely to double click on that because you're in a hurry."

Awareness is the key to defeating that, Robinson said.  

"Taking that moment to really look at the link," he said. "And a lot of times, you can hover a mouse pointer over the hyperlink to see the actual text and make sure you're going to the domain you think you're going to." 

Cyberattacks In General Getting More Sophisticated 

Cyberattacks in general are on the rise all year long, Robinson added, and con artists are getting better and better at it. 

"AI algorithms now generate emails, fake emails that sound just like it came from your boss," Robinson said.  

All it takes to generate these sound-alike emails is three or four intercepted emails from an individual, he added. Those can be fed into the AI bot, which can then generate all kinds of emails that will seem authentic. Paired with the correct business logos and a spoofed address, they can be very difficult to spot as fakes. 

"They can then send an email to his secretary that says 'Hey, I'm out of town. I need you to transfer some money. And it seems like it came from that guy." 

While it sounds unusual, it's really not. 

"I've been talking to bankers and you wouldn't believe how many times they've stopped someone who's at the counter, trying to get several money orders to send," Robinson said. "It's important to be aware that the bad guys are out there, trying to monetize you, and be really cautious and suspicious." 

Share this article

Authors

RJ

Renée Jean

Business and Tourism Reporter