Researchers at AppRiver have detected a Spotify phishing scam that attempts to get users to reveal their Spotify credentials. The emails use brand imaging that make the emails appear to have been sent by the music streaming service. The messages are realistic, although there are signs that the messages are not genuine.
The email template used in the Spotify phishing scam claims the user needs to confirm their account details to remove restrictions and ensure they can continue to use their account. The messages include the Spotify logo and contact information in the footer. The emails contain a link that account holders are requested to click to take them to the Spotify website where they are requested to enter in their account credentials.
The Spotify phishing scam does not include a spoofed sender email address which makes this scam quite easy to identify. Spotify is mentioned in the email address, but the domain makes it clear that the email has not come from a domain used by Spotify. That said, many email recipients may fail to check the sender name and may click the link and be directed to the phishing web page.
The phishing web page used to collect account credentials also contains Spotify branding and appears to be virtually identical to the genuine Spotify login page. The only sign that the website is not genuine is the URL.
The information collected via this phishing scam could allow the attacker to gain control of a user’s account. The password to the site will be obtained, which could be used to gain access to other accounts held by the victim if the password has been reused on other websites. Passwords can also reveal other information about a person, such as their data of birth, and can provide clues as to how their passwords are formed. That can make brute force attacks on other websites much easier and quicker to perform.