Typosquatting Firm Used Hijacked Dell’s DNS to Push Malware

Antivirus becomes Malware! 'DoubleAgent' attacks discovered

According to security expert Brian Krebs, the hijacked domain name belonging to Dell’s backup and recovery software may have been pushing malware before the control of the URL was regained.

The domain name ‘Dellbackupandrecoverycloudstorage.com’ was controlled by SoftThinks, a firm contracted by Dell. The problems began when the company failed to renew the web address and was then hijacked for a month.

The software periodically checks the domain for updates and is installed on all Dell’s computers, this software gives the power to users to restore and recover data. After the PC giant failed to renew the address, the URL was taken over by an external group at some point in this summer, namely June and July, according to Krebs. The security expert also added that during the time the domain name was not under SoftThinks or Dell’s control it had been actively pushing malware.

The external group that took control of Dell’s Recovery and Backup software domain name was named ‘Teaminternet.com’ a German company specializing in “typosquatting traffic” services. According to Krebs, typosquatting is used to redirect users to malicious sites.

“Approximately two weeks after Dell’s contractor lost control over the domain, it started showing up in malware alerts.” However, Krebs remains skeptical as to whether Team internet was responsible for the Malware alerts or another company to whom Team Internet sold or leased the domain name.

Many companies that were unable to reach the domain notified Dell about the issue, one of them being Equity Residential, whose assistant vice president of Information Technology infrastructure and security Celedonio Albarran communicated their computers were unable to access the domain because it was flagged as insecure for pushing malware.

According to Albarran, Dell hastily responded to the many claims by companies not being able to reach the domain and confirmed to have fixed the issue, they did not offer any further explanations, however.

It remains unclear if any users were infected or exposed to malware during the time lapse that the domain was taken. AlienVault’s Open Threat Exchange has stated in a short report the domain used by the giant firm is an Amazon server listed as “actively malicious and used to propagate spam.”

The report also reads, “While not necessarily a direct security threat, spamming activity could include malicious payloads, restrict the effectiveness of defense control, and impact service and network operations.”

The domain expired exactly on June 1 before it was taken by the German firm, according to Dell spokesperson Ellen Murphy. She concluded with, “We do not believe that the Dell Backup and Recovery calls to the URL during the period in question resulted in the transfer of information to or from the site, including the transfer of malware to any user device.”