eFile tax website served malware to visitors for weeks

Just in time for tax season, the IRS-authorized eFile website prompted users to install a Windows botnet trojan through April 1.

Windows users that used eFile.com may have been exposed to a malicious JavaScript file prompting users to install a second-stage payload. While users would have needed to interact with this and install the .exe file, it is still recommended to run a virus scan.

According to a report from Bleeping Computer, Reddit users pointed out that the malware had been served since at least mid-march. It has been independently verified that eFile is no longer serving the malware as of April 4.

This affected the eFile website directly. Users that interacted with the service on a Windows PC will need to ensure their system is secure. Neither macOS nor iOS were not affected, but we're discussing the issue to bring awareness, given that the IRS has yet to make a formal statement about the issue, and millions of Americans could be affected.

A JavaScript file called popper.js was being loaded by nearly every page of eFile.com until at least April, the report confirmed. An additional file named update.js associated with the attack would prompt users to download the next stage of the payload, a Windows executable that changed based on which browser was in use — Chrome or Firefox.

This malicious software was being served from a Tokyo-based IP address hosted with Alibaba. If installed, the trojan would act as a simple backdoor and turn the Windows machine into a botnet member.

The malware would connect to a remote command and control center every ten seconds to receive a task. And despite being a simple backdoor, it had full access to a device.

Antivirus products have reportedly already started flagging the executables as trojans. Again, we urge any Windows user that visited eFile.com in recent weeks to run a scan of their device.