LockBit Claims EFile Compromised, Threatening Taxpayer Data


Sensitive tax information of citizens in the U.S. could potentially be stolen after the notorious LockBit ransomware group has claimed responsibility for ransoming eFile.com, a well-known Internal Revenue Service (IRS) authorized online tax-filing service. This breach, similar to a previous malware incident from earlier in 2023, raises concerns about the cybersecurity measures in place at critical financial service providers.

Background of the eFile Attack

Lockbit claimed efile.com as one of its victims in its dark web post on September 18, 2024. AI-powered threat intelligence platform Cyble‘s researchers told The Cyber Express that LockBit did not post any documents – a process commonly followed by ransomware crooks as a proof of compromise.

LockBit ransomware, eFile.com
Source: X

Currently, details regarding the extent of the Lockbit ransomware attack, data compromised, and the motive behind the cyber assault remain undisclosed but, the group has set a deadline of 14 days to leak the compromised data.

Despite the claims made by Lockbit, the official website of the company remain fully functional. This discrepancy has raised doubts about the authenticity of the threat actor’s assertion. To ascertain the veracity of the claims, The Cyber Express has reached out to the eFile officials. As of writing of this news report, no response has been received, leaving the ransomware attack claim unverified.

Understanding the efile Attack in 2023

According to Dr. Johannes Ullrich, Dean of Research for SANS Technology Institute who reports cybersecurity related content, efile.com site was found to be serving malicious JavaScript that redirected users to download malware. Named “efail” by researchers, this malware exploited a vulnerability within the tax-filing platform, potentially allowing criminals to access a treasure trove of sensitive data including social security numbers, home addresses, income information, and other personal details.

eFile Lockbit RansomwareeFile Lockbit Ransomware
The bug unintentionally downloaded by users in 2023. Source: Sans Internet Storm Center

In that case, the malware operated by rerouting users to a corrupted third-party site where the malicious code was downloaded. The breach highlighted a significant vulnerability in the supply chain, as users visiting the official eFile.com site were being victimized without engaging in any unsafe browsing behavior. After Ulrich’s report, eFile removed the malware days later and reassured users that the site was safe. It appears that LockBit’s new claim may suggest ongoing security flaws or insufficient patching.

LockBit Ransomware Allegedly Targeted eFile Back in 2022

This is not the first instance that efile has fallen victim to a ransomware attack. Lockbit had claimed to have compromised eFile.com on January 19, 2022. The ransomware group has now asserted to have compromised the site again, which could have far more devastating consequences.

The crucial aspect of this attack is the timing which comes just before the October filing deadline for U.S. taxpayers who requested extensions. This is an indication that cybercriminals are intentionally targeting moments of peak traffic to maximize the impact of their breaches.

LockBit’s Growing List of Targets

LockBit has been relentless in its attacks on major institutions. The ransomware gang, even amid global law enforcement crackdowns, remains one of the most prolific cybercriminal groups in operation. The group accounts for about 8% of ransomware infections worldwide.

The breach at eFile.com fits within LockBit’s modus operandi, which focuses on high-value targets that house a wealth of sensitive data. The financial and government sectors have long been prime targets for ransomware gangs, largely because the data they hold is highly sensitive, and the consequences of a breach can be far-reaching, impacting millions of people.

Consequences for eFile.com Users

For the millions of users who rely on eFile.com to file their taxes, the potential consequences are dire. If LockBit’s claim proves true, taxpayers’ personal and financial data may be in the hands of criminals. This data could be used for a variety of nefarious activities, including identity theft, tax fraud, and account takeovers.

The breach at eFile.com is a stark reminder of the need for robust cybersecurity measures, particularly for companies that deal with large amounts of personal information. Stronger oversight of third-party vendors, improved endpoint security, and constant vigilance through security audits are all necessary to protect against evolving threats. As LockBit continues its reign of ransomware attacks, companies must rethink their cybersecurity protocols.



Source link