On the eve of a push into the home audio market through a tie-up with a Japanese device maker, streaming music application Spotify was hit by malicious advertising content last week.
At the end of last week, the free version of Spotify had malicious ads that led to websites hosting the Blackhole exploit kit to infect users with the fake anti-virus application Windows Recovery. Spotify apologised for the breach.
Analysis by Websense found that once it was displayed and the user clicked through to the domain, the exploit kit tried to infect the user.
The attack coincided with a deal between Spotify and Onkyo to make the streaming music service available to owners of the Japanese device maker's European customers.
Patrick Runald, senior manager of security research at Websense Security Labs, said malvertising was not new, but "this case is slightly different".
"Usually, malicious ads are displayed as part of a website and viewed with the browser. In this case the malicious ad is actually displayed inside the Spotify application itself.
“This means that it's enough that the ad is just displayed to you in Spotify to get infected, you don't even have to click on the ad itself. So if you had Spotify open and running in the background listening to your favourite tunes, you could still get infected.”
Kurt Baumgartner, senior security researcher at Kaspersky Lab, said it was the third-party banner adverts rotating through the client advert frames that were compromised, and that most of the redirections it saw sent users to servers in the .cc top level domain.
“We have been working with providers to ensure the adverts are not on their networks but the groups have been active in rotating malvertising banners through multiple networks," Baumgartner said.
"The hits on these ads for the most part, have redirected browsers to Java, Adobe and Microsoft HCP related exploits.
“The Blackhole exploit kit may not have the largest install base online but its hosters are abusing some of the bigger advertising networks to coordinate redirection to their exploit pages on these .cc servers. Accordingly, detections for their Java, PDF and hcp exploits are very high.”
Timo Hirvonen, anti-malware analyst at F-Secure, said that if the Spotify advert exploit really was Java-based, he wondered if Flash, Shockwave, QuickTime or PDF could be exploited through Spotify adverts.
Spotify later confirmed that it had removed all third-party adverts from its free version while it was investigating, but these were now turned back on.