People are using Spotify playlist and podcast descriptions to distribute spam, malware, pirated software and cheat codes for video games.
Cybersecurity researcher Karol Paciorek posted an example of this: A Spotify playlist titled “*Sony Vegas Pro*13 Crack Free Download 2024 mysoftwarefree.com” acts as a free advertisement for piracy website mysoftwarefree.com, which hosts malicious software.
🚨 Cybercriminals exploit Spotify for #malware distribution. 🎵
— Karol Paciorek (@karol_paciorek) November 18, 2024
Why? Spotify has a strong reputation and its pages are easily indexed by search engines, making it an effective platform to promote malicious links. pic.twitter.com/MGloGZykCp
“Cybercriminals exploit Spotify for #malware distribution,” Paciorek posted on X. “Why? Spotify has a strong reputation and its pages are easily indexed by search engines, making it an effective platform to promote malicious links.”
"The playlist title in question has been removed,” a spokesperson for Spotify told 404 Media in a statement. “Spotify's Platform Rules prohibit posting, sharing, or providing instructions on implementing malware or related malicious practices that seek to harm or gain unauthorized access to computers, networks, systems, or other technologies."
But as BleepingComputer reported, piracy on Spotify isn’t limited to this one playlist, but is a widespread problem across the streaming platform. “Vbucks generators,” for generating more in-game currency in Fortnite, are easy to find all over Spotify.
Seems like the "Fortnite Vbucks" spammers found a way to involve Spotify Podcasts into their SEO poisoning campaign, featuring SPAM links to movies and books fake downloads... (And of course Fortnite Vbucks 😎)
— Who said what (@g0njxa) August 21, 2024
👀 @Spotify pic.twitter.com/0dbqjil9zX
Sites offering “license key cracks,” which provide license keys for pirated software, are also all over Spotify in the form of podcast episodes and playlists. As Paciorek noted, Spotify links are indexed by search engines, making it easy to find these listings through Google even if Spotify blocks the keywords from being searched. Searching for “license key cracks” on Spotify, for example, doesn’t return the malicious titles, but searching it on Google shows Spotify hosts many of these links.
The audio in these episodes are often noise or text-to-speech nonsense about clicking the link in the description. A “podcast” called forlinks, for example, is just a bunch of three second “episodes” with descriptions that link to Turkish gambling sites. A user called “soupiz” is just uploading 22 second text-to-speech clips that all say the same thing in broken English about audiobooks and clicking the link. Podcast episode titles for these spam accounts often contain popular keywords about TikTok personalities or porn, boosting their search engine reach.
