eFile tax website served malware to visitors for weeks


Protect Your Access to the Internet

eFile.com was serving malware

Just in time for tax season, the IRS-authorized eFile website prompted users to install a Windows botnet trojan through April 1.

Windows users that used eFile.com may have been exposed to a malicious JavaScript file prompting users to install a second-stage payload. While users would have needed to interact with this and install the .exe file, it is still recommended to run a virus scan.

This affected the eFile website directly. Users that interacted with the service on a Windows PC will need to ensure their system is secure. Neither macOS nor iOS were not affected, but we’re discussing the issue to bring awareness, given that the IRS has yet to make a formal statement about the issue, and millions of Americans could be affected.

A JavaScript file called popper.js was being loaded by nearly every page of eFile.com until at least April, the report confirmed. An additional file named update.js associated with the attack would prompt users to download the next stage of the payload, a Windows executable that changed based on which browser was in use — Chrome or Firefox.