Feeds

Spotify apologises for tainted ad kerfuffle

Can't stop the music

Top 5 reasons to deploy VMware with Tegile

Spotify has promised to review its security following an attack that exposed users of the free version of its music streaming service to malware on Thursday.

Tainted ads displayed to music fans served up content from sites that used the Blackhole Exploit Kit in an attempt to infect users with the Windows Recovery fake anti-virus (scareware) application. Windows users did not even need to click on an ad to risk getting hit, as an advisory by web security firm Websense explains.

Once the ad is displayed, the application runs the ad code (as if it were run in a browser), and the computer then connects to a site where the exploit kit tries several vulnerabilities – including a vulnerability in Adobe Reader/Acrobat – in an attempt to infect the user with various strains of malware. Most of the malware could be detected by widely used consumer anti-virus scanners such as Avast and AVG.

Spotify responded to the attack by temporarily disabling third-party ads on Friday while it isolated the problem. The service was restored to normal over the weekend.

In a statement, Spotify apologised for the snafu, which it explained was restricted to users of the unpaid version of its music streaming service in Europe. Users of the paid version of the software were never at risk.

A number of our Spotify Free/Open users in the UK, Sweden, France and Spain running Windows were targeted by a virus contained in an advert which began running yesterday evening.

We quickly removed all third party display ads in order to protect users and ensure Spotify was safe to use. We then isolated and removed the malicious ad. Users with anti-virus software will have been protected.

We sincerely apologise to any users affected. We'll continue working hard to ensure this does not happen again and that our users enjoy Spotify securely and in confidence.

Security problems arising from tainted advertisements have hit multiple sites from time to time over several years. Previous victims have included Vue Cinemas, celeb gossip website Popbitch, travel site Expedia, Major League Baseball and many others.

The slight difference this time around was that the malvertisement was served up embedded within the Spotify application itself, explained Patrick Runald of Websense Security Labs. "Malvertising is nothing new, but this case is slightly different. Usually, malicious ads are displayed as part of a website and viewed with the browser. In this case the malicious ad is actually displayed inside the Spotify application itself.

"This means that it's enough that the ad is just displayed to you in Spotify to get infected: you don't even have to click on the ad itself. So if you had Spotify open but running in the background, listening to your favourite tunes, you could still get infected," he added. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.