Spotify Serves Malicious Ads

The Spotify music service has been hit by malvertisements served up through its third-party ad network

Malvertisements reared their ugly heads again, this time for a free ad-supported digital-music service.

Spotify, a Luxembourg-based digital-music service, was hit by malware distributed through a third-party ad network, according to a 25 March report from Netcraft, an Internet services company based in Bath, England. Malicious advertisements being displayed on the free version of Spotify, which is ad-supported, were dropping Trojans and other types of malware onto users’ computers, Netcraft said.

Customer complaints

Users started reporting the malware a day earlier, including Sean Collins, who wrote on Twitter, “Why has my virus scanner blocked an exploit threat from @spotify? Naughty Spotify, what are you trying to do?”

Customer complaints began on 24 March and were still ongoing the morning of 25 March. Spotify notified users via Twitter it had disabled the ads as it tried to identify the malvertisement.

“We’ve turned off all third party display ads that could have caused it until we find the exact one,” Spotify posted on TwitterSpotify posted on Twitter.

As of late on 24 March, Spotify was still investigating and looking.

It is unclear whether there were multiple advertisements or if it kept evolving. At least one version of the attack on the music-streaming software used a Java exploit to drop malicious executable code on the victim’s computer, Netcraft said. According to Adam Hiscocks, a penetration tester who was affected, the malware was downloaded in the background without any user interaction with the ad.

Java exploits are used very frequently in malvertising attacks, according to Dasient’s CTO Neil Daswani.

Spotify customers on Twitter were helpful by posting the types of malware their antivirus scanners blocked, although many of them were unable to provide the exact ad link because the software had crashed shortly after the malicious ad was displayed. There were reports of fake antivirus and fake Windows Recovery tools.

Avast’s free software identified a malicious PDF file and AVG’s antivirus software identified two different types of malware thus far, including a Trojan horse Generic_r.FZ. and a Blackhole Exploit Kit. All three were hosted on the uev1.co.cc domain. A WHOIS query indicates that domain no longer exists.

Daswani noted this kind of incident illustrates how ad networks need to screen ads for malware or lose money. “Their customers will turn their ads off when there are malware problems,” Daswani told eWEEK. “By employing anti-malvertising defenses, both Spotify and their ad network can benefit – a win-win situation,” he said.

Rise in malvertisements

Dasient’s latest Malware Update report found that the number of malvertisements jumped sharply in the fourth quarter of 2010, with more than 3 million impressions served per day.

Visitors to the London Stock Exchange’s website were hit by a similar attack in February when a third-party ad network served up malicious ads. Like the ads on Spotify, the London Stock Exchange ads automatically downloaded malware in the background, without requiring any kind of user interaction.

Spotify said in a statement that Windows users running a free version of the service in the United Kingdom, Sweden, France and Spain were affected by the malvertisements.