The free, ad-supported version of Spotify, a digital music service, was hit by malvertisements served up through its third-party ad network, which infected users with malicious PDFs and Trojans.
Malvertisements reared their
ugly heads again, this time for a free ad-supported digital-music service.
Spotify, a Luxembourg-based
digital-music service, was hit by malware distributed through a third-party ad
network, according to a March 25 report from Netcraft
an Internet services company based in Bath, England. Malicious advertisements being
displayed on the free version of Spotify, which is ad-supported, were dropping
Trojans and other types of malware onto users' computers, Netcraft said.
Users started reporting the
malware a day earlier, including Sean
, who wrote on Twitter, "Why has my virus scanner blocked an exploit
threat from @spotify? Naughty Spotify, what are you trying to do?"
Customer complaints began on
March 24 and were still ongoing the morning of March 24. Spotify notified users
via Twitter it had disabled the ads as it tried to identify the malvertisement.
"We've turned off all third
party display ads that could have caused it until we find the exact one," Spotify
posted on TwitterSpotify posted on Twitter.
As of late March 24, Spotify
was still investigating and looking.
It is unclear whether there
were multiple advertisements or if it kept evolving. At least one version of
the attack on the music-streaming software used a Java exploit to drop
malicious executable code on the victim's computer, Netcraft said. According to
Adam Hiscocks, a penetration tester who was affected, the malware was
downloaded in the background without any user interaction with the ad.
Java exploits are used very
frequently in malvertising attacks, according to Dasient's CTO Neil Daswani.
Spotify customers on Twitter
were helpful by posting the types of malware their antivirus scanners blocked,
although many of them were unable to provide the exact ad link because the
software had crashed shortly after the malicious ad was displayed. There were
reports of fake antivirus and fake Windows Recovery tools.
Avast's free software
identified a malicious PDF file and AVG's antivirus software identified two
different types of malware thus far, including a Trojan horse Generic_r.FZ. and
a Blackhole Exploit Kit. All three were hosted on the uev1.co.cc domain. A
WHOIS query indicates that domain no longer exists.
Daswani noted this kind of
incident illustrates how ad networks need to screen ads for malware or lose
money. "Their customers will turn their ads off when there are malware
problems," Daswani told eWEEK. "By employing anti-malvertising defenses,
both Spotify and their ad network can benefit-a win-win situation," he said.
Dasient's latest Malware
Update report found that the number of malvertisements jumped sharply in the
fourth quarter of 2010, with more than 3 million impressions served per day.
Visitors to the London
Website were hit by a similar attack in February when a
third-party ad network served up malicious ads. Like the ads on Spotify, the
London Stock Exchange ads automatically downloaded malware in the background,
without requiring any kind of user interaction.
Spotify said in a statement
that Windows users running a free version of the service in the United Kingdom,
Sweden, France and Spain were affected by the malvertisements.