Report: Dell domain takeover could have spread malware
Report: Dell domain takeover could have spread malware

Dell computer users could have possibly been exposed to malware last summer after visiting a third-party customer support website, whose domain was suddenly taken over by an unaffiliated company.

According to a KrebsonSecurity blog post, the website, DellBackupandRecoveryCloudStorage.com, was originally registered and controlled by SoftThinks, an Austin, Tex.-based software backup and imaging solutions provider contracted by Dell. This domain would is regularly checked by Dell Backup and Recovery, an application --discontinued in 2016 -- which helps users restore their data and computers to the factory default state in the event of a technical problem.

But in June 2017, the third-party provider neglected to renew the domain, opening the door for another company to pounce on it. Roughly two weeks after that change in ownership, the server the domain was hosted on began appearing in official malware alerts, security expert and blog author Brian Krebs reports, citing a security executive from real-estate investment trust Equity Residential, whose computers were unable to reach out to the domain because it was flagged by security tools.

Continue Reading Below

Dell customers remained exposed to the appropriated domain for about a month, Krebs reports. But Dell is denying that the domain takeover harmed customers during this time period. "A domain as part of the cloud backup feature for the Dell Backup and Recovery (DBAR) application, www.dellbackupandrecoverycloudstorage.com, expired on June 1, 2017 and was subsequently purchased..." said Ellen Murphy, a global commercial client solutions PR consultant for Dell, in a statement provided to SC Media. "The domain reference in the DBAR application was not updated, so DBAR continued to reach out to the domain after it expired. Dell was alerted of this error and it was addressed."

"We do not believe that the Dell Backup and Recovery calls to the URL during the period in question resulted in the transfer of information to or from the site, including the transfer of malware to any user device," the statement concluded.

However, Krebs contradicts this assertion, stating that customers actually may have been served objectionable content including malware, noting that the German company that took over the domain" specializes in selling what appears to be typosquatting traffic."

It's possible that the company itself didn't abuse the domain name, Krebs noted, but it may have "resold it or leased it to someone who did."

Krebs also notes that AlienVault's Open Threat Exchange says the Internet address assigned to DellBackupandRecoveryCloudStorage.com in late June is an Amazon server that remains “actively malicious” and is linked to spam operations.