Spotify music service hit by ‘Blackhole’ malware ads

Popular music streaming site Spotify has been spotted serving the same fake antivirus software campaign that compromised large numbers of UK servers in February, security companies have reported.

According to Websense, from 11.30am GMT on 24 March, an unknown number of users of the ‘Free’ version of Spotify’s Windows desktop app were served one of a range of possible remote software exploits through a rogue advert running inside the application itself.

On unpatched systems where this behaviour was not detected by antivirus software, a bogus security application called ‘Windows Recovery’ would then have run. As with all apps of this kind Windows Recovery eventually pretends it has found a number of errors on targeted Windows PCs that must be fixed by taking out a license. This license is as useless as the software itself.

Disturbingly, the ad does not require any user interaction to test the exploits against the system, and runs itself simply because the Spotify application has been loaded. The only Spotify users definitely not affected are paid subscribers whose clients do not display in-app advertising or those users who did not encounter it as the ads cycled. Mobile clients would not be affected.

Spotify later turned off ads while it searched for the root of the problem, which have yet to be turned back on for all users as of 28 March.

According to Avast, 59 percent of those encountering the ad were in Sweden, 40 percent in the UK, and 1 percent in other countries.

The malware engine serving the exploits is believed to be based on based on the Russian Blackhole Exploit Kit, a recent and little-known program that is proving suddenly very popular with rogue antivirus pushing criminals.

Last week, security company AVG said it had detected a large campaign built using this kit and directed against UK Internet users specifically.