http://blog.washingtonpost.com/securityfix/The customer support Web site for Richmond-based Circuit City, a leading supplier of computers and other consumer electronics, was for several weeks serving up an invasive computer virus to any visitor who browsed the site with an unpatched version of Microsoft's Internet Explorer Web browser.
It appears that unknown hackers broke into the retailer's support forum via a recently patched security flaw in Invision Power Forum, the software the company uses to run the site. Anyone who visited the forum in IE without the protection afforded by a security patch Microsoft released in January most likely got whacked with an exploit that drops a nasty program which gives attackers control over the victim's PC.
Circuit City spokesman Bill Cimino said the company learned of the breach today and has removed the attack code that plants the malicious program and updated its site software to the latest, patched version. Cimino said Circuit City also planned to notify the forum's registered users of the potential threat. Cimino said the problem was confined to its forum.circuitcity.com Web site, and that at no time was the company's main CircuitCity.com page affected.
The forum was hacked some time on May 13, and chances are quite a few people have been potentially exposed to this threat. According to Web traffic-monitoring company Alexa, CircuitCity.com is among the Web's 500 most-visited sites.