As if tax season is not stressful enough—and the filing deadline of Tuesday, April 18, is fast approaching—security researchers have discovered a malicious JavaScript file has existed for weeks on eFile.com, an IRS-authorized electronic filing software service provider.
This security incident specifically concerns eFile.com and not identical sounding domains or IRS e-file infrastructure.
Vendor experts are chiming in on what it means for the IRS, eFile.com, and people filing their personal taxes.
Timothy Morris, Chief Security Advisor at Tanium, said:
"This is yet another type of supply chain attack. It is quite concerning that a major website had code changes (or code inserted) without authorization. It can be difficult at times to determine if a trusted site, or component, has been compromised, from the user's perspective. However, there were several suspicious behaviors that led to this being discovered.
This incident boils down to immaturity of processes necessary to keep the site secure. This is by no means a unique situation. Many organizations either don't have the resources or expertise to fully grasp what applications and devices have access to their network or have sufficient control to restrict who can make changes, which can lead to detrimental security gaps.
Reports in this case mentioned that just two security vendors marked the file as malicious. So, once again, we have a java script that evades billions of dollars of security software."
John Bambenek, Principal Threat Hunter at Netenrich, said:
"Anything used in filing tax returns is highly sensitive. Considering malicious JavaScript was present for an extended period of time, this is quite concerning. Attackers know that tax fraud is a lucrative business with billions lost annually, and that changes were made to a production website that were not detected, means some basic detections were not present. Anything that's both public-facing and involved in sensitive transactions should have strong controls in place to detect unauthorized changes."
Zane Bond, Head of Product at Keeper Security, said:
"Tax filing services and their customers are prime targets for cybercriminals in the peak of their busiest season of the year. This is not unexpected as bad actors often leverage significant events to launch their malicious attacks.
The fact that this specific issue was brought up weeks ago and not resolved is cause for concern. However, instead of analyzing the specifics of the compromise, customers want to know what they can do to protect themselves, which comes down to the basics. Don't make risky clicks. Any website asking a customer to download and run an executable should be a red flag. Even the false flag of an SSL error should have been concerning.
What should you do when you're up against the deadline to get your taxes filed? Remain cautious and don't make rushed clicks. If you are concerned about the security of any tax filing software you're using, consider using a certified professional or the federal government's e-file site to file your taxes. You can also file for an extension through IRS.gov."
According to an article in Bleeping Computer, "On March 17th, a Reddit thread surfaced where multiple eFile.com users suspected the website was 'hijacked.'"
