Threat Management, Malware

JavaScript malware infects tax-return service since mid-March

Tax Return form 1040 with USA America flag and dollar banknote, U.S. Individual Income.

Just a couple of weeks before the April 18 tax deadline, news broke that the service, an IRS-authorized e-file provider, was observed executing JavaScript malware.

A diverse group of security researchers and users reported April 4 that the malicious JavaScript malware, popper.js., existed on the website for several weeks.

The service runs as a private website and is not the same as IRS Free File, which lets taxpayers with adjusted gross incomes of less than $73,000 file for free via the website.

Similarweb reported in January that tracked 1.1 million total visits and a bounce rate of 38.8% versus, the leader in the e-filing field, which had 26.1 million total visits and a bounce rate of 28.7%. Most tax experts say works best for taxpayers who are comfortable filing their own taxes and have an uncomplicated form.

BleepingComputer confirmed that the malicious popper.js script was loaded by almost every page of at least up until April 1. They also reported that on March 17, a Reddit thread emerged in which multiple users suspected the website was hijacked.

Johannes Ulrich of the SANS Institute also released a report on the issue, in which it was confirmed that bad actors used the popper.js malware.

Jerrod Piker, competitive intelligence analyst at Deep Instinct, explained that this attack involves a malicious JavaScript that was served by almost every page of the website. As early as the middle of March, Piker said users began noticing a fake SSL error message that prompted them to update their browser to support loading the page.

Further analysis indicated that the SSL error page was indeed malicious, and the link to “update the browser” actually pointed to a command-and-control address in which a malicious payload was downloaded to the user’s system.

“While it’s unclear how many people were actually infected by this malicious script, it’s very concerning that the hacked web pages were serving the malicious script for weeks before any action was taken,” said Piker. “Also, since this attack was timed around tax season, the potential impact was exponentially greater."

Piker said the problem with eFile is an example of not trusting even legitimate sites, adding that the fake SSL error message was a dead giveaway for this particular attack."

Zane Bond, head of product at Keeper Security, said tax-filing services and their customers are prime targets for cybercriminals in the peak of their busiest season of the year. Bond added that the fact that the specific eFile issue was brought up weeks ago and not resolved was cause for concern.

“However, instead of analyzing the specifics of the compromise, customers want to know what they can do to protect themselves, which comes down to the basics,” said Bond. “Don’t make risky clicks. Any website asking a customer to download and run an executable should be a red flag. Even the false flag of an SSL error should have been concerning.”

John Bambenek, principal threat hunter at Netenrich, said anything used in filing tax returns is highly sensitive. Bambenek said attackers know that tax fraud has become a lucrative business with billions lost annually, and that changes were made to a production website that were not detected, means some basic detections were not present.

“Anything that’s both public-facing and involved in sensitive transactions should have strong controls in place to detect unauthorized changes,” said Bambenek.

Keeper Security’s Bond also pointed out that those concerned about the security of the e-filing service they are using can file an extension via Here’s a link to five tax season tips for companies and consumers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.