Spotify in malvertising scare

News by Dan Raywood

Streaming music application Spotify was hit by malicious advertising content last week.

Streaming music application Spotify was hit by malicious advertising content last week.

It was reported that at the end of last week, the free version of Spotify contained malicious adverts that led to websites hosting the Blackhole Exploit Kit to infect users with a fake anti-virus application named ‘Windows Recovery'.

Analysis by Websense found that once the advert was displayed and the user clicked through to the domain, the exploit kit tried several vulnerabilities to infect the user.

Patrick Runald, senior manager of security research at Websense Security Labs, said: “Malvertising is nothing new, but this case is slightly different. Usually malicious ads are displayed as part of a website and viewed with the browser. In this case the malicious ad is actually displayed inside the Spotify application itself.

“This means that it's enough that the ad is just displayed to you in Spotify to get infected, you don't even have to click on the ad itself. So if you had Spotify open and running in the background listening to your favourite tunes, you could still get infected.”

Kurt Baumgartner, senior security researcher at Kaspersky Lab, pointed that it was the third party banner adverts rotating through the client advert frames that were compromised, and that most of the redirections it had been monitoring had sent users to a variety of servers in the .cc top level domain.

He said: “We have been working with providers to ensure the adverts are not on their networks, but the groups have been active in rotating malvertising banners through multiple networks. The hits on these ads for the most part, have redirected browsers to Java, Adobe and Microsoft HCP related exploits.

“The Blackhole exploit kit may not have the largest install base online but its hosters are abusing some of the bigger advertising networks to coordinate redirection to their exploit pages on these .cc servers. Accordingly, detections for their Java, PDF and hcp exploits are very high.”

Eddy Willems, security evangelist at G Data, said: “Users who do not use a security solution that checks the safety of websites before loading them in the browser are at risk of infection. While Spotify moved quickly to resolve the issue, users need to protect themselves first and foremost.

“Users need to understand that even visiting a popular website can leave your PC vulnerable to infection. One of the main causes of the increase of this method of spreading malware is the lack of focus from webmasters to keep their websites safe.  It is important for webmasters to use safe tools and strong passwords for their websites and to regularly check the safety of their websites in order to ensure safe surfing.”

Timo Hirvonen, anti-malware analyst at F-Secure, said that if the Spotify advert exploit really was Java-based, he wondered if Flash/Shockwave/QuickTime/PDF could be exploited through Spotify adverts too.

Spotify later confirmed that it had removed all third party adverts from its free version while it was investigating, but these have now been turned back on. In a statement, Spotify said that it ‘sincerely apologised to any users affected' and will continue working hard to ensure this does not happen again. It also pointed out that users with anti-virus software would have been protected.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews