Spotify Music Service Hit by Malware-Tainted Advertisements

The free, ad-supported version of Spotify, a digital music service, was hit by malvertisements served up through its third-party ad network, which infected users with malicious PDFs and Trojans.

Malvertisements reared their ugly heads again, this time for a free ad-supported digital-music service.

Spotify, a Luxembourg-based digital-music service, was hit by malware distributed through a third-party ad network, according to a March 25 report from Netcraft, an Internet services company based in Bath, England. Malicious advertisements being displayed on the free version of Spotify, which is ad-supported, were dropping Trojans and other types of malware onto users' computers, Netcraft said.

Users started reporting the malware a day earlier, including Sean Collins, who wrote on Twitter, "Why has my virus scanner blocked an exploit threat from @spotify? Naughty Spotify, what are you trying to do?"

Customer complaints began on March 24 and were still ongoing the morning of March 24. Spotify notified users via Twitter it had disabled the ads as it tried to identify the malvertisement.

"We've turned off all third party display ads that could have caused it until we find the exact one," Spotify posted on TwitterSpotify posted on Twitter.

As of late March 24, Spotify was still investigating and looking.

It is unclear whether there were multiple advertisements or if it kept evolving. At least one version of the attack on the music-streaming software used a Java exploit to drop malicious executable code on the victim's computer, Netcraft said. According to Adam Hiscocks, a penetration tester who was affected, the malware was downloaded in the background without any user interaction with the ad.

Java exploits are used very frequently in malvertising attacks, according to Dasient's CTO Neil Daswani.

Spotify customers on Twitter were helpful by posting the types of malware their antivirus scanners blocked, although many of them were unable to provide the exact ad link because the software had crashed shortly after the malicious ad was displayed. There were reports of fake antivirus and fake Windows Recovery tools.

Avast's free software identified a malicious PDF file and AVG's antivirus software identified two different types of malware thus far, including a Trojan horse Generic_r.FZ. and a Blackhole Exploit Kit. All three were hosted on the domain. A WHOIS query indicates that domain no longer exists.

Daswani noted this kind of incident illustrates how ad networks need to screen ads for malware or lose money. "Their customers will turn their ads off when there are malware problems," Daswani told eWEEK. "By employing anti-malvertising defenses, both Spotify and their ad network can benefit-a win-win situation," he said.

Dasient's latest Malware Update report found that the number of malvertisements jumped sharply in the fourth quarter of 2010, with more than 3 million impressions served per day.

Visitors to the London Stock Exchange's Website were hit by a similar attack in February when a third-party ad network served up malicious ads. Like the ads on Spotify, the London Stock Exchange ads automatically downloaded malware in the background, without requiring any kind of user interaction.

Spotify said in a statement that Windows users running a free version of the service in the United Kingdom, Sweden, France and Spain were affected by the malvertisements.