Circuit City warns of online forum attack

update Part of the Circuit City Web site was hacked and used in an attempt to install malicious code on PCs of unknowing visitors, the electronics retailer said Thursday.

Cybercrooks were able to break in and modify a home theater message board on Circuit City's Web site, said Bill Cimino, a spokesman for Circuit City of Richmond, Va. Over an approximately two-week period, visitors to the board were subsequently sent to a site in Russia that attempted to install a "backdoor" on their PCs that gives the attackers remote access, he said.

Circuit City was made aware of the attack on Thursday by the SANS Internet Storm Center, Cimino said. The company took down the message board, operated by a third party, and is in the process of notifying the 1,000 or so registered users of the online forum, he said.

"At this point we think approximately 200 users visited the site while the exploit was active," Cimino said. Those people are registered users of the message board. Circuit City has no data on people who visited the site without being registered, he said.

On Friday, Circuit City said that after further investigation, it now believes the security breach occurred on May 30. This would mean the site was only dangerous for about two days, as opposed to the two-week period initially reported. During those two days, about 80 registered users visited the infected forum, Circuit City said in a statement.

The attack affects only those people who visited the Circuit City message board on home theaters. The main Circuit City Web site was not compromised, Cimino said. Furthermore, only those forum visitors who used unpatched versions of Microsoft's Internet Explorer Web browser could be victimized, he said.

The attackers used a pair of security flaws. They first broke into the forum Web site by exploiting a bug in the Invision Power Services software that runs it, Cimino said. Then they attempted to install backdoor software onto the PCs of visitors who used a version of IE without Microsoft's January security patches installed, he said.

The Circuit City home theater forum is reached by going to the main Circuit City Web site, clicking on to Home Theater Headquarters and then hitting the "Discuss" option. The site will be back online once the third party that operates it has installed the latest patches for the message board software, Cimino said.

Circuit City recommends that its site visitors check whether they have the latest Microsoft patches installed. The company is considering offering registered forum users a free or discounted PC checkup through its partner PlumChoice.

[Jeff Putz]

That's what they get

Invision Power Board is a known piece of crap that you can hack.