- Feb 4, 2016
- 2,520
Over the past few months, Tech Support scammers have been using the Spotify forums to inject their phone numbers into the first page of the Google & Bing search results. They do this by submitting a constant stream of spam posts to the Spotify forums, whose pages tend to rank well in Google.
While this behavior causes the Spotify forums to become harder to use for those who have valid questions, the bigger problem is that it allows tech support scammers to rank extremely well and trick unknowing callers into purchasing unnecessary services and software.
Coinbase Tech Support Numbers in First Page of Google Search Results
BleepingComputer was alerted to this problem by security researcher Cody Johnston who started to see an alarming amount of tech support scam phone numbers being listed in Google search results through indexed Spotify forum posts. The tech support scams being posted to Spotify include Tinder, Linksys, AOL, Turbotax, Coinbase, Amazon, Apple, Microsoft, Norton, McAfee and more.
Why is this such a problem on the Spotify Forums?
After examining the Spotify forums, I noticed two problems with their current configuration that allow spammers to take advantage of their forums.
First, they utilize Google's reCAPTCHA service, which is a great first step, but has already been shown that it can be bypassed by automated tools that can solve image and audio challenges. As the Spotify forums rely heavily on reCAPTCHA as their main point of defense, we already have a problem.
The biggest issue, though, is that they do not require email verification before allowing a user to post. This means that a spammer can use automated tools to generate accounts using fake email addresses and still be able to post in the forums. I tested this by creating an account on the Spotify forums and being able to post a new topic before verifying my email address.
From my experiences running a busy forum for 13 years, email verification is one of the most important steps to prevent forum spam. As Lithium, the provider used to power Spotify's forums, has the setting to require email verification before a user can post, it is unknown why Spotify does not appear to have it enabled.
BleepingComputer has reached out to Spotify with questions related to this story and has not heard back at the time of publication.
Last edited: