One of my cousins reached out to me because she was seeing weird errors and antivirus warning messages when trying to browse DirecTV’s main website (simply directv.com). Initially we were thinking it was some malware attached to her browser, perhaps trying to redirect her pages and searches to some spam website. However, upon further inspection, the problem lies on the website itself: And it’s been this way for months!

The warnings messages from the antivirus software always mentioned a connection to netcheckcdn[.]xyz, so looking at the source code of the front page, we can see a whole list of pre-connect domains:

Pre-Connect Code

Normally this would tell the browser to make an initial TCP/TLS connection to that netcheckcdn[.]xyz site, in preparation for loading actual content at a later time. It would also need the crossorigin option as well, since it is not on the same domain as the main site. However, on my testing with Chrome, the web browser makes a connection anyways (at the domain’s current IP, 185.53.178.6, shown below:)

Netcheck-Wireshark

What’s also interesting is the site at netcheckcdn[.]xyz has an expired certificate, and it is currently a parked domain that is available to buy:

Preconnect-Code

Checking GoDaddy and other sources, it is actually listed for sale! Unfortunately, the price is around $4000, which is too much for me to pick up on a whim.

Although some might say the risk here is small, it is still possible for a malicious actor to buy this domain, build up their own web server, and start receiving TCP connections from anyone who is visiting DirecTV.com. Checking sources like the Wayback Machine, we can see that this code and the parked domain have been this way for months! Perhaps only recently was this domain added as malicious/riskware to popular antivirus engines.