14 DAY TRIAL // Spotify users have fallen victim to a drive-by download attack instrumented via malicious ads displayed in the free version of the software.
Spotify is a popular music streaming service with over 10 million registered users. It can be accessed via proprietary software available for most desktop and mobile operating systems.
It's estimated that around 9 million users have free accounts meaning they receive advertisements inside the software.
Starting yesterday people began seeing malware alerts from their antivirus programs when using the Windows version of the Spotify client.
The problem was tracked back to malicious third-party advertisements displayed inside the application. Netcraft reports that at least one Java exploit was used to install malware on people's computers.
Apparently the rogue ads loaded the Blackhole exploit pack, one of several drive-by download kits used by malware distributors.
"We're currently investigating and have pulled all third party display ads that could have caused the problem until we locate the specific advert," Spotify told The Register.
Malicious advertising (malvertizing) is an increasingly common malware infection vector and one that has the potential to reach a large number of users very quickly.
Malvertizing attacks are normally carried out in two ways, impersonation or ad server compromise. Impersonation involves attackers posing as legit advertisers in order to get their ads onto ad networks and then push malicious content through them.
On the other hand some websites maintain their own advertising servers, usually running OpenX software, which allows them to sell ad space directly. Attackers can exploit security holes in these servers if left unpatched and push their rogue ads onto websites.
In order to be protect themselves from drive-by downloads and malvertizing users are advised to keep all of their software, including the operating system, up to date. Browsing the Web with a capable antivirus product installed is also a must.