Circuit City Support-Site Hack Installed Spamming Program
The customer support Web site for Richmond-based Circuit City, a leading supplier of computers and other consumer electronics, was for several weeks serving up an invasive computer virus to any visitor who browsed the site with an unpatched version of Microsoft's Internet Explorer Web browser.
It appears that unknown hackers broke into the retailer's support forum via a recently patched security flaw in Invision Power Forum, the software the company uses to run the site. Anyone who visited the forum in IE without the protection afforded by a security patch Microsoft released in January most likely got whacked with an exploit that drops a nasty program which gives attackers control over the victim's PC.
Circuit City spokesman Bill Cimino said the company learned of the breach today and has removed the attack code that plants the malicious program and updated its site software to the latest, patched version. Cimino said Circuit City also planned to notify the forum's registered users of the potential threat. Cimino said the problem was confined to its forum.circuitcity.com Web site, and that at no time was the company's main CircuitCity.com page affected.
The forum was hacked some time on May 13, and chances are quite a few people have been potentially exposed to this threat. According to Web traffic-monitoring company Alexa, CircuitCity.com is among the Web's 500 most-visited sites.
Cimino said the company is still trying to determine how many people visited the forum since May 13, but he noted that only about 200 registered users did so during that time. The user forum is hosted by a separate company on a different Web server than CircuitCity.com, but it is reachable from the company's home page.
Up until this afternoon, a vulnerable IE browser visiting the support forum would have silently contacted a .biz Web site -- hosted in Russia -- which tries to install a program that opens a "back door" on the victim's computer. The attackers could then have used the "back door" to come back whenever they wanted to install programs, delete files, change system settings etc.
The threat in this case was a thing called "Galapoper," which according to anti-virus firm Panda Software "sends spam messages with highly variable characteristics, which it composes with the information it obtains from several servers. It can be instructed to modify those e-mail messages every 10 minutes, or whenever an amount of 70,000 e-mail messages sent is reached."
I should also note that the site used in this exploit is on the same block of Internet addresses as a Web server in Russia that -- according to Web site monitoring company Netcraft -- is the same group of servers I wrote about in an investigative story earlier this year as being connected to disturbing new advancements in keystroke-logging programs.
[SAFETY ALERT: Unless you are a computer security expert and preferably not using Microsoft Windows, please do not attempt to visit any of the sites mentioned in this paragraph.] Among the other domains on this same Russian Internet address space are dozens of porn sites featuring content that borders on child pornography, with sites like "lolita-links," "little-boyz.com," "littlelust.com," "tinyorgy.com" and "pay-sites.lolita-preteen-bbs.com".
The Russian company hosting the .biz site that the Circuit City support forum virus contacted also hosts a number of sites used to download bogus anti-spyware applications. These programs are proliferated by browser exploits that install themselves and then scare victims with false reports about spyware infections, all to trick the user into paying for anti-spyware software that usually doesn't even work.
This group of Web servers also is home to many of the sites that were taking advantage of the flaw even before Microsoft issued its patch. Allow me to take you back: This security update was the very first that Microsoft shipped in 2006. Hundreds of malicious Web sites had been exploiting in the final weeks of 2005 and early 2006 to install password-stealing Trojan horse programs on IE users' compjuters. Hundreds more innocent Web sites were hacked and seeded with the exploit code, including at least two I found in my own reporting. At least two independent security experts developed and made public their own security patches to fix the problem before Microsoft issued an official update.
Posted by: Sloopydrew | June 2, 2006 3:53 PM | Report abuse
Posted by: Ken L | June 2, 2006 4:34 PM | Report abuse
Posted by: Jo | June 3, 2006 12:35 AM | Report abuse
Posted by: Dave | June 3, 2006 9:41 PM | Report abuse
Posted by: GTexas | June 4, 2006 4:39 PM | Report abuse
Posted by: Henry Hertz Hobbit | June 7, 2006 7:58 AM | Report abuse
Posted by: Ryker | June 7, 2006 11:44 AM | Report abuse
The comments to this entry are closed.