ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
Over the past few months, Tech Support scammers have been using the Spotify forums to inject their phone numbers into the first page of the Google & Bing search results. They do this by submitting a constant stream of spam posts to the Spotify forums, whose pages tend to rank well in Google.
While this behavior causes the Spotify forums to become harder to use for those who have valid questions, the bigger problem is that it allows tech support scammers to rank extremely well and trick unknowing callers into purchasing unnecessary services and software.
BleepingComputer was alerted to this problem by security researcher Cody Johnston who started to see an alarming amount of tech support scam phone numbers being listed in Google search results through indexed Spotify forum posts. The tech support scams being posted to Spotify include Tinder, Linksys, AOL, Turbotax, Coinbase, Amazon, Apple, Microsoft, Norton, McAfee and more.
On September 25th, Cody reached out to Spotify’s Twitter account, but never heard back.
Tech Support Scammers are using Spotify accounts to get their scams close to the top of Google search results. pic.twitter.com/EabMrKwY26
— Cody Johnston (@AdwareHunter) September 25, 2017
It wasn’t until December 1st, after another tweet to Spotify, that he received a response with a link to a Spotify forum post that acknowledges the problem Spotify is having and that they are trying to fix it.
While it is good that Spotify recognizes that there is a problem, it still has not been resolved over a month later as support scammers are still rampant on the Spotify forums with multiple spam posts being posted every minute.
Why is this such a problem on the Spotify Forums?
After examining the Spotify forums, I noticed two problems with their current configuration that allow spammers to take advantage of their forums.
First, they utilize Google’s reCAPTCHA service, which is a great first step, but has already been shown that it can be bypassed by automated tools that can solve image and audio challenges. As the Spotify forums rely heavily on reCAPTCHA as their main point of defense, we already have a problem.
The biggest issue, though, is that they do not require email verification before allowing a user to post. This means that a spammer can use automated tools to generate accounts using fake email addresses and still be able to post in the forums. I tested this by creating an account on the Spotify forums and being able to post a new topic before verifying my email address.
From my experiences running a busy forum for 13 years, email verification is one of the most important steps to prevent forum spam. As Lithium, the provider used to power Spotify’s forums, has the setting to require email verification before a user can post, it is unknown why Spotify does not appear to have it enabled.
BleepingComputer has reached out to Spotify with questions related to this story and has not heard back at the time of publication.
At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.
Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.