Dell includes its own “Backup and Recovery Application” on almost all of its computers. This program periodically checks in with the domain “DellBackupandRecoveryCloudStorage.com” to check for updates and verify its own status.
Over the summer, someone at Dell forgot to renew the domain. It was promptly snatched up by a typosquatter who appears to have used the site to distribute malware. Krebs on Security reports that two weeks after it was acquired by “TeamInternet.com,” the domain began to be flagged by malware warning sites as a potential risk.
Dell regained control of the domain around a month after its ownership expired. The company said the incident posed no risk to customers and shouldn’t have affected the operation of its backup software. Backup and Recovery Application shouldn’t have attempted to download anything from the site so Dell PC owners won’t have directly installed the malware it briefly hosted.
“We do not believe that the Dell Backup and Recover calls to the URL during the period in question resulted in the transfer of information to or from the site, including the transfer of malware to any user device,” Dell said to The Register.
READ NEXT: Bug in Google bug tracker let hackers exploit unpatched issues
What Dell hasn’t explained is how it lost control of the domain in the first-place. The site is said to be administered by a third-party subcontractor. However, registrars usually send multiple reminders before a domain name lease expires and it’s rare for major companies to forget to renew their subscriptions.
Dell’s also not elaborating on its questionable domain choice. Although not intended to be visited directly, “DellBackupandRecoveryCloudStorage.com” isn’t the most memorable or convincing name. Security experts warned it’s “kind of asking for trouble” by appearing to play into the hands of scammers and cybercriminals.
Dell could be better served by moving the site to a subdomain of dell.com, especially as the risks of using dedicated, overly long domains were made all too apparent in the wake of Equifax’s giant data breach. The company’s decision to register the independent site “equifaxsecurity2017.com” was slammed by the security community.
The choice of domain allowed typosquatters to register credible lookalikes such as “equifax-security2017.com,” forming the basis of multiple phishing campaigns. Equifax is still using the dedicated domain despite facing repeated calls to move the site to a subdomain of “equifax.com.”