Both Spotify and Apple Music are so slick as platforms that you wouldn’t think a cyberattack on their users would even be possible. But it is.
Spotify and Apple Music are truly convenient music streaming platforms for millions of users. Most of them don’t even stop to think there might be a cybersecurity threat.
However, according to the Cofense Phishing Defense Center (PDC), cybercriminals are highly aware of these platforms and culturally relevant trends. They exploit users’ trust in the services to deceive them into compromising their accounts.
The Cofense PDC has proof. The team said it had detected a spoofed Spotify email claiming a payment failure and urging users to log in and quickly update their accounts to avoid unpleasantness in whatever form.
This is actually a double-barrel attack, the researchers said. First, attackers capture login credentials and then prompt users to update payment information.
The risk of giving away your credit card information is thus immense, and the damage would be far greater than losing, probably only temporarily, access to your Spotify account, the Cofense PDC explained in a blog post.
The email appeared to be legitimate at first glance – there was Spotify branding, and the URLs were functional and redirected the user to the Spotify web player. But the Cofense PDC soon found several red flags.
First, a header analysis showed that the email, written in Portuguese, had been spoofed by a malicious actor. Yes, the displayed “From” address appeared as “[email protected],” but a deeper dive into the email headers indicated otherwise.
The ‘Return-Path’ field, along with other header details, revealed that the email was sent from a different domain, “ns3130981.ip-51-75-52.eu” rather than an official Spotify domain.
Besides, the content of the email was suspicious, the Cofense PDC said after conducting a URL analysis.
“Although the threat actor had inserted several legitimate Spotify URLs to obfuscate the malicious intent, we were able to open the HTML body and uncover a hidden, malicious URL embedded in the green “Update Data” button,” said the researchers.
The URL (hXXp://40[.]82[.]178[.]115/player/pt-br/) was a clear indication of a phishing attempt.
After clicking the link, victims were redirected to a Linktree page designed to funnel them to malicious sites. The page, mimicking Spotify's branding, falsely claimed to be an official invoicing page. Once users clicked the “Update Payment Method” button, they were directed to a malicious web page hosted on Azure App Service.
The page allowed users to enter their credentials or reset their usernames and passwords, which were then sent to a PHP C2 controlled by the threat actors.
Quite a few similar maneuvers followed, and they all culminated in a request for a user to enter their “password issued by the bank.” This, of course, would allow attackers to gain access to the user’s financial accounts.
“This multi-layered attack demonstrates the increasing sophistication of phishing schemes, where attackers use a combination of tactics to steal sensitive information and exploit it for financial gain,” said the Cofense PDC.
Your email address will not be published. Required fields are markedmarked