Spotify playlists and podcasts are being abused to push pirated software, game cheat codes, spam links, and “warez” sites.

By injecting targeted keywords and links in playlist names and podcast descriptions, threat actors may benefit from boosting SEO for their dubious online properties, since Spotify’s web player results appear in search engines like Google.

Spotify playlists pushing warez

When abusing platforms, spammers and scammers leave no stone unturned to promote their agenda.

Most recently, a Spotify playlist with the title “Sony Vegas Pro 13 Crack…” appeared to drive traffic to one or more “free” software sites listed in the playlist title and description.

The terms “warez” or “crack” are frequently used in the computing culture to refer to bootleg or pirated software circulating on the internet, often on untrustworthy websites.

There’s no guarantee, ever, that attempting to download counterfeit software products from such websites, or “torrents” will be risk-free, as these could be malware, or lead users to bogus “survey” sites which are scams.

Users who download such “warez” may indeed, on occasion, receive the software program advertised on the suspicious websites without coughing up a fee, but may unknowingly end up with viruses, adware, or other unwanted programs hidden in the “cracked” version of the software.

Added benefit: SEO for spam sites

We observed that a side effect of polluting trustworthy and vastly popular platforms like Spotify with spam, for threat actors, is the added boost to the search engine rankings of their shady websites.

Those searching for keywords like “free download” combined with “Sony Vegas Pro 13” or other software products may be presented with the following Google results:

This is made possible because, in addition to mobile and desktop apps, Spotify offers a web player version at open.spotify.com. Playlists and podcasts available on the web player are, as with any website, crawled by search engines like Google.

This means, the illicit “free” software websites now have greater visibility and a higher chance of driving traffic to their servers—which are often riddled with ads, spam content, bogus “surveys,” and crypto giveaways that one would have to navigate through to, perhaps, be able to finally download a cracked software product, which is once again bound to be risky.

We asked Spotify if it had any controls or automated technologies in place to catch and prevent spam, and if any third-party Spotify apps or services were being abused to sneak in spam content on the platform.

Spotify deleted the “Sony Vegas Pro” playlist and podcast and their spokesperson responded:

“The playlist title in question has been removed,” Spotify informed BleepingComputer.

“Spotify’s Platform Rules prohibit posting, sharing, or providing instructions on implementing malware or related malicious practices that seek to harm or gain unauthorized access to computers, networks, systems, or other technologies.”

We did not get an answer to our other questions.

Podcast ‘episodes’ use synthesized speech

BleepingComputer discovered Spotify’s spam problem was not limited to playlists promoting links to pirated software but bootleg digital content in general, including eBooks.

Compared to playlists, we observed much greater instances of spurious podcasts, each with several “episodes,” published with the apparent intention of promoting spam links, “torrents,” and Telegram channels that seem to be scams.

These “episodes” are about ten to twenty seconds long, and comprise synthesized speech audio that directs users to visit the “link in the description.” One such episode is transcribed below:

“Hello viewers, welcome to my channel, there is good news from me, if you want to download or listen to audiobooks from this channel, please click the link in the description and sign up there then you will get unlimited book access, please follow me I am looking for several ebook and audiobook options. Thank you for coming to my channel, warm greetings from me.”

These links lead to a page that does have “download” or “read online” buttons featured next to the advertised book’s digital cover image. Clicking either button, however, attempts to either launch a survey or worse, directs users to flimsy “ad block” Chrome extensions which may be instead be collecting your data:

Next up: Game cheats and “GTA V” mods

Similarly, some podcasts we discovered claimed to offer game cheat codes for hit titles like Apex Legends, Fortnite hacks, Roblox scripts, “GTA V mods,” and trainers.

The “Free Cheat Codes” text in the description of this example episode was clickable and led to a cheater.ninja website:

Published via third-party podcast distribution services

Interestingly, while platforms like Spotify could have their automated technologies and barriers restricting invalid playlist names or descriptions, third-party apps and services are another vector threat actors tap into to get their foot in.

A common denominator among many, though not all such “podcasts” was the use of such third-party services that provide hosting, publication, and distribution services to podcast producers across streaming platforms including Spotify.

We noticed a “Powered by Firstory Hosting” banner appended to the description area of these podcasts.

Launched in 2019, Firstory is an online service designed to “empower podcasters in the world to distribute everywhere and start to connect with audiences!”

One can use Firstory to publish podcasts on Spotify, but the platform acknowledges that spam is an ongoing problem that it is focusing on curtailing.

“Spam accounts and content are ongoing challenges, and it’s something we continue to focus on improving,” wrote Firstory co-founder Stanley Yu to BleepingComputer in response to our questions.

“Anyone can use our platform to publish podcasts on Spotify. However, we do have certain filters in place to prevent accounts using specific fraudulent domains or email addresses containing variations such as account+[numbers]@gmail.com or ‘.’ in emails.”

“These spam accounts not only violate the rights of the creators we value most, but they also drive up our operational costs.”

“We’ve dedicated considerable resources to addressing this issue.”

Yu shared that the security measures in place include email verification and blocking; that is, conducting “a series of checks to block suspicious or fraudulent email addresses during the account registration process.”

Further, the platform works closely with Spotify and, according to Yu, promptly reviews and reports any infringing content detected.

“We also have API integration with Spotify to remove any flagged content.”

“We scan podcast titles and show notes for specific keywords like EPUB, PDF, etc., to prevent the hosting of spammy content. A challenge here is that some episodes use variations such as “E.P.U.B.” or contain terms like “epub” in unrelated contexts (e.g., “republic”). These cases require extra attention during our review process,” Yu concluded.

From sneaking in “handwritten” links in dating profiles to hijacking government and university websites, unscrupulous actors have repeatedly employed novel tactics to push unwanted content to the masses. And, now they won’t leave you in peace with your favorite music either.