Photo Credit: Karthikeya GS
Hackers are using Spotify free trial offers to disguise malware-ridden links. Here’s how to spot them.
Digital attackers often conceal their malicious activity under a veil of legitimacy. ESET reports that the Microsoft Store and Spotify free trial offers are just two of the latest vectors for this attack. Attackers use malicious advertisements for the Microsoft Store and Spotify to direct interested consumers to scam websites.
These scam websites resemble Spotify’s free trial page or the Microsoft Store.
Security researchers describe one ad promoting a chess app. When clicked, the ad sends users to a fake Microsoft Store page to download the chess app. Clicking the ‘Download Free’ button instead downloads a malware file disguised as the Chess game. Other malicious ads detected include a landing page offering a free Spotify Music and YouTube Premium bundle for 90 days.
Spotify has never partnered with YouTube to offer a bundle on its music streaming service. But Spotify’s deals with hardware manufacturers like Samsung and Google muddy the waters. Anyone who isn’t paying attention could easily be fooled by what seems like an enticing promotion.
The website instructs users to click on the ‘Download Free App’ button. It downloads a 1 MB file containing malware. No music streaming service has an app that small. The real Spotify app is around 150 MB on both mobile and desktop. Both of these malicious apps downloaded Ficker onto the victim’s device. Ficker can steal a users’ passwords, take screenshots of the users’ screen, and steal important documents.
How to Protect Yourself From Fake Spotify Trial Offers
You can protect yourself from this type of malware by being very careful about the things you click online. Online advertisements are often a vector of infection because consumers are clicking out of interest.
Who wouldn’t want Spotify + YouTube Premium free for 90 days? But let’s think about that. Would Spotify partner with YouTube to offer Premium? They’re direct competitors, and all of Spotify’s partnerships have been with non-direct competitors so far. Even if you happen to click the scam link not realizing, you can spot it. Here’s how.
Take a look at the address bar in the screenshot above. Notice how it is not located at ‘spotify.com?’ That’s a prime giveaway that the link you’ve clicked is some type of malware scam. Type in ‘spotify.com’ yourself to go to the actual website to verify any offer you may want.
Never actually click on any link in an email until you hover your cursor over the link and see that the underlying address will take you to a legitimate site. If you go to a bogus site, you don’t have to click on a download to get malware. It could be downloaded to your computer automatically as soon as you arrive at the landing page.