A third-party took over the web address used by recovery software on Dell PCs for a month last summer after a contractor apparently failed to update it. The web address was used by Dell to help customers restore their data. Many of the firm’s recovery application and backup is installed by default, allowing users to restore factory settings to their computers.
Brian Krebs, a security expert and author, reported the issue saying that the site may have been hijacked “From early June to early July 2017.”
A software backup and imaging company called SoftThinks, one of Dell’s partners, previously had control of this address but was taken over by another party at some point between June and July this year.
The domain name called DellBackupandRecoveryCloudStorage.com was checked regularly by software installed as standard on many Dell PCs, so whoever snapped it up could use it to spread malware to unsuspecting Dell customers.
DellBackupandRecoveryCloudStorage.com was the property of Dmitrii Vassilev of “TeamInternet.com,” a company listed in Germany that specializes in selling what appears to be typosquatting traffic. Team Internet also appears to be tied to a domain monetization business called ParkingCrew.”
Krebs said in his blog: “Approximately two weeks after Dell’s contractor lost control over the domain, the server it was hosted on started showing up in malware alerts.”
Dell admitted to losing control of the domain name but said the problem had been “addressed” in a recent statement. The company said no malware was transferred.
Dell said to the BBC: “We do not believe that the Dell Backup and Recovery calls to the URL during the period in question resulted in the transfer of information to or from the site, including the transfer of malware to any user device.”
A spokeswoman for Dell said that, on 9 July, the developer of the program bought the domain back from the third party that snapped it up – but she would not confirm how much this cost.