Cyber Incident Victim: Dell Inc.
Date:
Jun 2017
Location:
United States of America
Summary
A critical customer support domain used by Dell's pre-installed backup and recovery application was temporarily hijacked after a contractor failed to renew its registration, potentially exposing systems to malicious activity. The domain, essential for restoring factory settings on affected devices, redirected to servers flagged for distributing ransomware and spam during the lapse in control. Security tools detected connections to the compromised infrastructure, though no confirmed malware infections resulted from the incident. The company regained control after being alerted, acknowledging the oversight while noting the associated application had already been discontinued. Concurrently, unrelated tech support scams leveraging Dell service tags raised additional concerns about customer data security.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-2017, Dell lost control of the critical domain DellBackupandRecoveryCloudStorage.com for approximately one month due to a lapse in domain renewal by its contractor SoftThinks, an Austin-based backup solutions provider. The domain, originally registered by SoftThinks in 2013 and central to Dell's Backup and Recovery Application, expired on June 1, 2017, and was acquired by Dmitrii Vassilev of TeamInternet.com, a German firm specializing in domain monetization and typosquatting traffic. This application came pre-installed on all Dell systems to enable factory resets and data backups, meaning the domain was routinely accessed by millions of Dell devices. From early June to early July 2017, the hijacked domain resolved to IP address 54.72.9.51, an Amazon server later flagged by security firms as malicious. On June 28, 2017, Equity Residential's security systems detected attempted connections to this domain from Dell devices on its network, triggering alerts from Rapid7 and Carbon Black tools that identified the IP as associated with malware distribution. Abuse.ch's Ransomware Tracker specifically linked the address to ransomware activity, though no malware installations were confirmed on Equity Residential's devices.
Dell acknowledged the issue after being notified by Equity Residential in late June 2017, confirming the domain expiration and subsequent third-party acquisition. The company stated it had addressed the error by updating the domain reference in its Backup and Recovery Application, which it had already discontinued in 2016. Dell did not disclose whether any customers were compromised during the domain hijacking period or provide details on how the lapse occurred. The incident coincided with ongoing complaints from Dell customers about tech support scams where fraudsters used authentic Dell service tags to impersonate support personnel, though Dell maintained public silence on potential breaches related to these scams. Security researchers noted parallels with similar domain-related incidents at credit bureaus Equifax and TransUnion, where expired marketing domains had redirected users to malicious content. AlienVault's Open Threat Exchange continued listing the hijacked domain's IP as "actively malicious" for spamming months after Dell regained control.