Circuit City Fixes Forum Flaw That Infected IE Users

The company patched a customer-support message forum Web site that had been silently installing a backdoor Trojan on visitors' PCs.
Circuit City Stores Inc. on Thursday patched a customer support message forum Web site that had been silently installing a backdoor Trojan on visitors' PCs for more than two weeks.

Sometime on or about May 17, hackers broke into a home theater message board on Circuit City's online site, said Bill Cimino, a spokesman for the Richmond, Va.-based electronics retailer. "We're trying to backtrack to when the break-in actually occurred," Cimino said Friday.

From then until Thursday, June 1, visitors to the forum who were running unpatched versions of Microsoft's Internet Explorer were directed to a Russian-based Web site that tried to install a Trojan horse which would give attackers full access to the compromised PC.

Cimino said that Circuit City is still trying to determine how many people may have been at risk. "We're sure that the number is fairly low, but I'm still working on getting a total. Right now all I have is the number of registered users."

Of the message board's 1,260 registered users, Cimino said that about 200 visited the forum during the two-week span of the attack. Visitors don't have to register to access the forum, however, or to read its messages, so the total number of IE users who cruised the board may be considerably higher than 200.

The attackers gained access to the forum through a now-patched vulnerability in the Invision Power Board software used to drive the message board; the software's maker, Invision Power Services, patched the flaw on May 17. While the forum is reachable from Circuit City's online store site, it's actually hosted by a third-party provider, said Cimino.

"As soon as we found about the attack, we took down the board," Cimino said. "We patched it up…the host did…and it's back up and running. There was no impact to the Circuit City site, or to visitors of the online store."

Forum visitors could have been infected with the backdoor if they were running a version of IE that had not been patched against the Windows Metafile flaw, which was fixed out-of-cycle in early January after widespread use of the bug by thousands of malicious sites during the final weeks of 2005.

That patch can be downloaded from the Microsoft security Web site.

Cimino said that Circuit City is contacting registered users who visited the forum during the at-risk weeks, and may offer them a free PC checkup through its PlumChoice partner.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing