A web address used by Dell for backup and recovery services was hijacked for a month over the summer after the PC giant failed to renew it. The DellBackupandRecoveryCloudStorage.com domain name was previously used by controlled by SoftThinks, a US-based tech firm contracted by Dell.
Dell's Backup and Recovery Application software, which was discontinued last year, is installed as a default program on nearly all its computers and allows users to restore their data and computers back to factory settings in the event of any technical issues. The software periodically checks the domain for updates.
However, the URL was briefly taken over by another third-party at some point between June and July after SoftThinks failed to renew it, security expert Brian Krebs first reported. Krebs added that the "lost" domain may have been pushing malware before SoftThinks managed to regain control over the URL.
Between early June and early July this year, the domain was taken over by Dmitrii Vassilev of"TeamInternet.com," a firm listed in Germany that specializes in selling "typosquatting traffic". Krebs said Team Internet also seems to be linked to domain monetization company ParkingCrew.
"If you're not sure what typosquatting is, think of what sometimes happens when you're typing out a URL in the browser's address field and you fat-finger a single character and suddenly get redirected to the kind of content that makes you look around quickly to see if anyone saw you looking at it," Krebs explains in a blog post.
"It could be that Team Internet did nothing untoward with the domain name, and that it just resold it or leased it to someone who did. But approximately two weeks after Dell's contractor lost control over the domain, the server it was hosted on started showing up in malware alerts."
Celedonio Albarran, assistant vice president of IT infrastructure and security at real estate firm Equity Residential, said computers were unable to reach out to the domain because it was flagged by security companies for pushing malicious software. The company notified Dell about the issue, which then confirmed that the issue has been addressed.
"A few weeks after that they confirmed they fixed the issue," Albarran told Krebs. "They just acknowledged the issue and said it was fixed, but they didn't offer any comment besides that."
According to AlienVault's Open Threat Exchange, the internet address that was assigned to the domain in June is an Amazon server that is still listed as "actively malicious" and is "being used to propagate or distribute spam." It is unclear if any users were exposed to malware during that time frame.
"While not necessarily a direct security threat, spamming activity could impact service and network operations, could include malicious payloads, and impede the effectiveness of perimeter defense controls," the report notes.
Dell spokesperson Ellen Murphy confirmed in a statement that the domain expired on 1 June before it was picked up by the third-party.
"The domain reference in the DBAR application was not updated, so DBAR continued to reach out to the domain after it expired. Dell was alerted of this error and it was addressed. Dell discontinued the Dell Backup and Recovery application in 2016," Murphy said.
"We do not believe that the Dell Backup and Recovery calls to the URL during the period in question resulted in the transfer of information to or from the site, including the transfer of malware to any user device."
IBTimes UK has reached out to Dell for comment.