Security Awareness Training Blog

    Phishing Emails are Targeting Spotify Users

    spotify_Logo

    A phishing campaign is attempting to steal login credentials from Spotify users, according to researchers at AppRiver. The emails ask users to click a hyperlink to confirm their accounts, in order to “remove any restrictions” on their Spotify accounts. That link took victims to a site that appeared identical to the legitimate Spotify login page and prompted victims to enter their credentials.

    Attackers often target popular services like Spotify to harvest login credentials for use in further attacks. Since many people reuse the same password across multiple services, a decent number of these stolen credentials can be used to log into more sensitive services, such as banking sites. Even if the credentials aren’t reused, passwords give attackers valuable information that may allow them to guess similar passwords.

    “Knowing just one password for a victim opens the door to a multitude of attack vectors,” AppRiver cybersecurity analyst David Pickett told Threatpost. “Knowing how someone creates a password offers a personal glimpse into their password creation mindset and probability of overall attack success. This also gives an opportunity for social engineering using the same information which is important to the victim.”

    Pickett adds that, in this case, the attackers can also use victims’ Spotify playlists to generate potential passwords with password-cracking software, based on the artists or songs that a victim enjoyed. “This is using many unique password possibilities associated to the target from this gathered information specific to their life,” he says.

    There were several clues in these phishing emails that could have tipped off attentive observers. Two typos and a very dubious “From” address stand out immediately. Additionally, the URL that the hyperlink pointed to was clearly not the official Spotify website, which can be discovered by hovering over the link before clicking. Despite these mistakes, however, the emails are very persuasive.

    It’s also worth noting that many phishing emails have no typos, and the “From” address can be spoofed relatively easily to show a legitimate domain. People need additional knowledge to avoid falling victim to phishing attacks. new-school, security awareness training can give your employees an in-depth understanding of the techniques used by attackers to take advantage of unsuspecting victims.

    Threatpost has the story: https://threatpost.com/spotify-phishers-hijack-music-fans-accounts/139329/

    Find out how affordable new-school security awareness training is for your organization. Get a quote now.

     
    Get A Quote
    Request A Demo
     

     

    Return To KnowBe4 Security Blog

    Topics: Phishing, Security Awareness Training

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe To Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews