Photo Credit: Spotify
Spotify’s playlists and podcast pages are being abused by spammers to link to pirate websites offering games, ebooks, and other downloads. Here’s a closer look at this growing exploitation.
Spotify’s webpage at ‘open.spotify.com’ is essentially the web version of Spotify and as such, it is highly indexable by search engines like Google. That open door is now becoming a seriously-exploited vulnerability.
According to details now emerging, spammers are injecting keywords into playlist and podcast titles to advertise pirated games, books, and movies for download. Google then indexes these Spotify pages and delivers them as top results when anyone searches those specific keywords.
BleepingComputer reports that playlists with the title ‘Sony Vegas Pro 13 Crack’ appeared on the platform before Spotify removed them.
“Cybercriminals exploit Spotify for malware distribution,” Karol Paciorek, cybersecurity enthusiast told BleepingComputer. “Why? Spotify has a strong reputation and its pages are easily indexed by search engines, making it an effective platform to promote malicious links.”
When the playlist was brought to Spotify’s attention, it was quickly removed. But numerous playlists with words like ‘free download’ and ‘download epub’ still exist and are being spammed across Spotify to promote links to these pirate websites.
Digital Music News was able to find entire podcasts that were only six seconds long, but with titles like ‘epub download The Moonlight Blade by Tessa Barbosa’ and another that offers a link to Jenette McCurdy’s critically-acclaimed memoir, ‘I’m Glad My Mom Died.’
“Spotify’s platform rules prohibit posting, sharing, or providing instructions on implementing malware or related malicious practices that seek to harm or gain unauthorized access to computers, networks, systems, or other technologies,” a Spotify spokesperson told Digital Music News. While it may be against Spotify’s terms of service, nevertheless, these spammers are engaging in a concerted effort to spread links to pirate websites.
BleepingComputer noticed that many of the spam podcasts uploaded to Spotify appear to be provided by a third-party—Firstory Hosting. Firstory launched in 2019 as an online distributor for podcasters to distribute their work to several different platforms. Firstory confirmed to BleepingComputer that combating spam distribution is an “ongoing challenge” for the distributor.
“Anyone can use our platform to publish podcasts on Spotify. However, we do have certain filters in place to prevent accounts using specific fraudulent domains or email addresses containing variations. These spam accounts not only violate the rights of the creators we value most, but they also drive up our operational costs,” a Firstory representative says. “We’ve dedicated considerable resources to addressing this issue.”
Firstory says it scans podcast titles and show notes for specific keywords like ‘epub,’ ‘PDF,’ ‘download,’ to prevent the distribution of spammy content. Yet Digital Music News was able to find several instances of podcasts hosted on Spotify offering free downloads to ebooks and other content. Simply searching the phrase ‘epub’ on Spotify’s podcast page turns up hundreds of spam results on the first page. So Spotify not only has a problem with spammers sending ‘fake music tracks,’ the podcast interface is also under attack.
