Cybersecurity
It's Tax Prep Season in the US
During tax preparation season, this notice is being shared out of an abundance of caution for anyone using online tax filing services.
During tax preparation season, this notice is being shared out of an abundance of caution for anyone using online tax filing services.
What Happened?
On April 3, 2023, the SANS Internet Storm Center posted a bulletin about the United States tax preparation site efile.com hosting a malicious JavaScript file. When loaded, this file redirects to a staging site that downloads a fake update binary. The file delivered depends on the visiting user's browser. Chrome users receive a file called update.exe, and Firefox users receive a file called installer.exe. Both are Python-derived stagers that ultimately attempt to install a PHP-based backdoor on the victim's device.
How Was the Site Compromised?
Researchers discovered that a standard third-party JavaScript library called popper.js had been tampered with on the efile.com site. Someone inserted obfuscated JavaScript code into the otherwise normal file. That hidden code causes the browser to silently contact a malicious external domain. From there, the site serves a fake browser error page telling the user their browser uses an unsupported protocol and prompting them to click a link to update it. That link downloads the malicious executable.
The malicious domain involved was registered just days before the tampered files first appeared, and the executable files carry a valid-looking code signature, which helped them initially evade most antivirus detection. At the time of discovery, only two security engines flagged the files as malicious.
What Should You Do?
If you used efile.com during tax season and received any prompt to download an update or installer file, treat your device as potentially compromised. Do not ignore popups asking you to update your browser while on tax or financial websites, as these are a common social engineering tactic. Run a full scan with updated antivirus software immediately. If you believe your device may be infected, contact your IT provider before continuing to use it for sensitive activities such as banking or file access.
This type of supply chain and third-party compromise is increasingly common. Attackers target widely used websites during high-traffic periods precisely because users are more likely to be distracted and less likely to scrutinize unexpected prompts.
If your organization needs help assessing whether any devices may have been affected, or if you want to put proactive protections in place for future threats like this one, the team at Cyber One Solutions is here to help. Contact us today to schedule a security consultation.