Tax Prep Site eFile.com Delivered Malware to Users for Weeks

pcmag.com:

An IRS-authorized tax preparation site, eFile.com, was secretly delivering malware to visitors for weeks, according to security researchers and users. 

Evidence shows that eFile.com was using a fake "This site can't be reached" pop-up to carry a link to malware disguised as a program called “update.exe,” according(Opens in a new window) to Johannes Ullrich, a security researcher at the SANS Technology Institute. 

This means hackers likely managed to tamper with the eFile.com website during tax season. Since at least March 17, the site has been rigged to load a malicious javascript file, “popper.js,” which can generate the fake network error pop-up page.

“The page looks very much like a legitimate browser error stating, ‘The current version of your browser uses an unsupported protocol. Click on the below link to update your browser,’” Ullrich noted. But while the update.exe program is designed to look innocuous, antivirus scans(Opens in a new window) indicate the program is actually a Windows-based Trojan.

Security researchers at MalwareHunterTeam also analyzed update.exe, and described(Opens in a new window) it as a "Windows targeting malware," possibly created to power a botnet, or an army of infected computers.

In addition, MalwareHunterTeam traced the threat back to a Reddit post(Opens in a new window) from March 17, which shows a user reporting the fake network error page appearing on eFile.com. “All of this suggests that the site is compromised and is being used to distribute malware,” the Reddit user wrote at the time.   

In the same thread, another user chimed in and noted(Opens in a new window): “It only prompts the security warning when it detects it's being viewed on a Windows machine."

EFile.com didn’t