eFile.com, an online service that helps individuals file tax returns, was injected with malicious code that led to malware being delivered to visitors.
The software service is authorized by the Internal Revenue Service (IRS), but not operated by the agency, was seen serving malware for several weeks, until it was cleaned up earlier this week.
The eFile.com compromise was initially observed in mid-March, when a user reported that visitors were redirected to a fake ‘network error’ page and were served a fake browser update.
The main function was to download and execute additional code as instructed to do so. During the installation, basic system information is sent to the attacker, and the backdoor is made persistent via scheduled/on-boot registry entries.
Some of the attack infrastructure is hosted with Alibaba in China, and some Chinese comments are in the code. The code is very cobbled together, and the clumsy inclusion of PHP points to a not-so-advanced, but maybe still persistent, threat actor.
What to do?
Monitor banking activity constantly to certify activity and detect billing irregularities
Employ established third-party tax professionals to navigate tax season.
Maintain current and up to date anti-virus/anti-malware software to protect your system.
Apply manufacturer supplied firmware as soon as possible.
Maintain clean up to date backups.
What can you do to when this happens to you?
If you find your network has been compromised, immediately shut down.
Identify the breach and type of virus or malware present.
Identify any data which might have been compromised or stolen and inform appropriate parties.
Rebuild the network from a known clean backup.
Ionut Arghire , Tech Republic
Tax Return Filing Service eFile.com Caught Serving Malware – SecurityWeek