Content, Breach, Malware

Did Dell Backup, Recovery Website Spread Malware?

A Dell website designed to aid customers to recover from a malware attack or technical problem may itself have been temporarily commandeered a few months ago by allegedly known malware spammers, according to a KrebsOnSecurity report.

Prior to this year, the PC-maker installed by default a backup and recovery application on its machines to help customers restore their systems to factory defaults should something go awry. The app interfaced with a domain called In early June, Dell contractor SoftThinks, which registered and controlled the domain since 2013, apparently neglected to renew it and Dmitrii Vassilev of, a German company, took it over from June to July, security specialist Brian Krebs wrote in a blog post.

According to Krebs, TeamInternet is said to be a typosquatting trafficker, a moniker for organizations that redirect users to a URL different from their intended one if they accidentally hit a wrong input key. That URL redirect may contain unsavory content, he said. TeamInternet also may be linked to a domain monetization business called ParkingCrew.

“If were to fall into the wrong hands it could be used to foist malicious software on Dell users seeking solace and refuge from just such nonsense!” Krebs said.

Some two weeks after SoftThinks inadvertently relinquished the domain, the hosting server began showing up in malware alerts, he wrote. But there’s no proof that any malware sprung from TeamInternet -- and if it did, it could have come from elsewhere, such as someone who bought or leased the domain. For its part, Dell is denying that the wayward URL transferred malware to any of its customers.

“A domain as part of the cloud backup feature for the Dell Backup and Recovery (DBAR) application,, expired on June 1, 2017 and was subsequently purchased by a third party,” a Dell spokesperson told Krebs.

“The domain reference in the DBAR application was not updated, so DBAR continued to reach out to the domain after it expired. Dell was alerted of this error and it was addressed. Dell discontinued the Dell Backup and Recovery application in 2016...We do not believe that the Dell Backup and Recovery calls to the URL during the period in question resulted in the transfer of information to or from the site, including the transfer of malware to any user device," the spokesperson said.

The Internet address assigned to the domain in June is an Amazon server “used to propagate or distribute spam,” according to AlienVault‘s Open Threat Exchange, Krebs reported.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.