The relative lull in large malvertising attacks was unfortunately disrupted this week for both Spotify and Facebook.
Spotify is an online music service that allows users to listen to any music they want to over the internet for free. It is only available in a limited number of European countries, but still has a sizeable user base.
For those not familiar with Spotify, like many free services, they also offer a premium subscription service. While the free version is ad supported, the paid version has no ads and allows use of the service while offline, on mobiles, etc.
According to an article by John Leyden in The Register, on March 24th some Twitter users began complaining about their anti-malware software alerting on Spotify.
It looks like Spotify has fallen victim to a favorite trick of malware purveyors: Place an advertisement with a widely distributed ad network, then change the code in the ad to exploit flaws in browser code to inject malware onto users’ computers.
Around the same time, Naked Security reader John sent us a tip that there were malicious ads circulating on Facebook.
When you click on the ad on Facebook, you are redirected to a page saying you need to install Adobe Flash Player. The malware is served up when you click and is called AdobeFlashPlayer.exe.
I reported the ad to Facebook and their team took care of the problem in very short order. Recently Facebook has been very responsive to our spam and virus reports and that is very welcome news.
The lesson here for most of us is that trusting a brand or site does not mean that you are safe on the web. While services like Spotify and Facebook are legitimate, trusted organizations, they must derive revenue from advertisers in order to remain free.
Ad-sponsored services are great, but they cannot absolutely control all content they serve up and this gives clever scammers a window of opportunity.
The best defense is to stay vigilant and use web filtering technology to be sure that all of the files being sent to your computer are safe.