A phishing campaign is attempting to steal login credentials from Spotify users, according to researchers at AppRiver. The emails ask users to click a hyperlink to confirm their accounts, in order to “remove any restrictions” on their Spotify accounts. That link took victims to a site that appeared identical to the legitimate Spotify login page and prompted victims to enter their credentials.
Attackers often target popular services like Spotify to harvest login credentials for use in further attacks. Since many people reuse the same password across multiple services, a decent number of these stolen credentials can be used to log into more sensitive services, such as banking sites. Even if the credentials aren’t reused, passwords give attackers valuable information that may allow them to guess similar passwords.
“Knowing just one password for a victim opens the door to a multitude of attack vectors,” AppRiver cybersecurity analyst David Pickett told Threatpost. “Knowing how someone creates a password offers a personal glimpse into their password creation mindset and probability of overall attack success. This also gives an opportunity for social engineering using the same information which is important to the victim.”
Pickett adds that, in this case, the attackers can also use victims’ Spotify playlists to generate potential passwords with password-cracking software, based on the artists or songs that a victim enjoyed. “This is using many unique password possibilities associated to the target from this gathered information specific to their life,” he says.
There were several clues in these phishing emails that could have tipped off attentive observers. Two typos and a very dubious “From” address stand out immediately. Additionally, the URL that the hyperlink pointed to was clearly not the official Spotify website, which can be discovered by hovering over the link before clicking. Despite these mistakes, however, the emails are very persuasive.
It’s also worth noting that many phishing emails have no typos, and the “From” address can be spoofed relatively easily to show a legitimate domain. People need additional knowledge to avoid falling victim to phishing attacks. new-school, security awareness training can give your employees an in-depth understanding of the techniques used by attackers to take advantage of unsuspecting victims.
Threatpost has the story: https://threatpost.com/spotify-phishers-hijack-music-fans-accounts/139329/