Skip to content ↓ | Skip to navigation ↓

Spotify has muted a malvertising attack that targeted some users of its ad-supported music streaming service Spotify Free.

On 4 October, a user submitted a forum post and that explained something strange was going on with Spotify Free:

“If you have Spotify Free open, it will launch – and keep on launching – the default internet browser on the computer to different kinds of malware / virus sites. Some of them do not even require user action to be able to cause harm.”

More users then took to social media, where they vented how they were witnessing similar behavior across Windows, Mac, and Linux machines.

It didn’t take long for Spotify to hear about those complaints and issue a formal response:

“We’ve identified an issue where a small number of users were experiencing a problem with questionable website pop-ups in their default browsers as a result of an isolated issue with an ad on our Free tier. We have now identified the source of the problem and have shut it down. We will continue to monitor the situation. If you see this issue again, please let us know the exact date and time in this thread.”

antu_spotify-svgIn essence, a bad actor a launched malvertising attack against Spotify Free. They did so by submitting an infected ad with the music-streaming service that, when the app was open, continuously caused web browsers to link to malicious domains.

Those types of campaigns, which sometimes affect hundreds of websites at a time, more often than not redirect to landing pages for exploit kits. Those malicious software packages look for unpatched vulnerabilities. If they find any, they install ransomware and other baddies onto a victim’s computer.

Computer criminals are constantly looking to abuse ad networks to conduct malvertising attacks. Acknowledging that threat, users should make sure they patch their systems regularly and stay on top of all security fixes. They should also maintain an up-to-date anti-virus solution and consider installing an ad-blocker on their computers.

Hacking Point of Sale
  • People need to learn to stay away from ad-driven applications just because they are free. This is not the first nor last app that has or will do this. Think about all of the popups and ads that link back to some backend data mining system that captures and stores payment information directly from the mobile phone. It’s so easy to inject instructions to an ad to steal data and it happens every second of the day. Bottom line; it is not safe to use “free” apps that house ads.