Another Phishing Campaign Successfully Hijacks Spotify Subscriber Accounts

In this day and age, it appears many people – including Spotify subscribers – still fall victim to phishing attacks.

On Spotify’s support site, the streaming music giant has several tips to keep users safe from suspicious e-mails.

First, the company will never ask for your personal information.  This includes your payment info – credit card, debit card, etc. – your account password, or your social security number.

Second, the company won’t ask you to pay through a 3rd party like Western Union.  Nor will you receive a cash prize just for subscribing to the service.

Third, the company won’t ask you to download anything directly from the e-mail.

Unfortunately, that hasn’t stopped many users from falling prey to ingenious hackers.

Now, an independent research firm has confirmed a new attempt to steal users’ accounts.

Going phishing.

Researchers at AppRiver have discovered a large-scale phishing scheme aimed at Spotify subscribers.

Here’s how the scheme works.

First, users will receive a rather authentic-looking e-mail ‘sent’ by the company.

In the e-mail, Spotify will allegedly ask users to confirm their account.  The streaming music giant has apparently locked down their accounts for ‘verification.’

  • Save

  • Save
Image by Threat News.

Then, once users click on the Confirm Account link, they’re taken to a website identical to  After entering their username and password, hackers now have full access to the account.

Hackers don’t just look for Spotify credentials.

Most people, unfortunately, use the same username and password across multiple websites.  Hackers aim to see if the information will work on banking websites.

David Pickett, a cybersecurity analyst at AppRiver, explains that “knowing just one password for a victim opens the door to a multitude of attack vectors.”

Knowing how someone creates a password offers a personal glimpse into their password creation mindset and probability of overall attack success.  This also gives an opportunity for social engineering using the same information which is important to the victim.

For example, explains Pickett, a term similar to Fluffy84 reveals two things.  First, the user loves their cat.  Second, they were probably born in 1984.

That birthday information could be verified by online people data searches (Pipl, Wink, PeekYou, etc.) and lead to finding out all their animal names and important dates in their life.  Social-media platforms make this reconnaissance extremely simple and valuable.

Unfortunately for Spotify subscribers, the attack won’t stop there.

Browsing through playlists and favorite songs, hackers can potentially discover what other passwords you may use.  They input this information into notorious password crackers.

Pickett continues,

This is using many unique password possibilities associated to the target from this gathered information specific to their life.  Their Spotify playlist might fit into the equation here if I found they enjoyed a particular [set of] artists or topics.  Password-cracking software such as John the Ripper and Cain and Abel are popular utilities for these attacks, but there are many others.

So, how can users remain protected?

First, the phishing e-mails will often include addresses other than

Second, the Confirm Address link will take users to a domain.

The attacker has set-up a well-disguised login page that looks identical to the actual Spotify login page.  However, they can’t hide the actual URL in the web address browser.

  • Save

  • Save
Image by Threat News.

Unfortunately, this may not stop all phishing attacks.

Pickett explains many hackers have dedicated “tremendous time and work” to honing their phishing skills.  Even ‘laughable,’ low-level hackers with “very little skill” will get lucky.  Thus, Spotify users likely won’t stop receiving phishing e-mails anytime soon.

[These attacks] still work against less-savvy users or they wouldn’t try them.


Featured image by Florida Fish and Wildlife (CC by 2.0).