Fake Spotify pages hide in legitimate domains

Central America. — In cybercrime, multiple threats coexist, but one of the most effective, and that hinders its detection, combines two key elements: the exploitation of website vulnerabilities and the impersonation of recognized brands to execute phishing campaigns, a deception technique that seeks to have people provide sensitive data by posing as legitimate entities.

In this context, ESET, a leading company in proactive threat detection, warns that two cases have been detected in Latin America where cybercriminals exploit vulnerabilities in the websites of regional companies to host fake Spotify pages and steal access credentials and financial data. In recent days, two cases were detected in which the image of the Spotify brand was impersonated, and where cybercriminals took advantage of compromised websites of SMEs in the region to host pages that simulate being from this streaming service within a legitimate domain. In this way, they confuse users by combining the use of a well-known brand with a domain they trust. The phishing page remains in an environment of valid domains that increases the feeling of security.

You can also read: NASA remembers the seven Challenger astronauts who died in the space shuttle launch 40 years ago

According to ESET, this makes it more likely that a person will fall for the deception if the full domain is not carefully verified. "For SMEs, this scam reveals a structural problem since the lack of maintenance and basic security measures on their websites exposes them to their own incidents and turns them into involuntary platforms for large-scale fraud. The impact can even go beyond the initial hack: a compromised company can lose the trust of customers and partners, be blocked by browsers or search engines and get trapped in a cycle of infections if it does not address the problem from the root," comments Martina López, a Cybersecurity researcher at ESET Latin America. From the ESET research team, they analyze the step-by-step process of this scam:

1. Cyber attackers exploit vulnerabilities (such as outdated CMS, insecure plugins, or weak credentials) to upload malicious files to a real website.
2. Once inside the compromised site, they host a fake copy of the service they want to impersonate, which is visually identical to the original.
3. Then, the link to this fake page can be distributed through phishing emails, malicious ads, social networks, or direct messages.
4. When the victim enters the site and completes their login credentials or financial data, the information is sent directly to the cyber attacker.

"The effectiveness of the scam is based on four key points. The principle is that the compromised domain is legitimate, and thus they manage to bypass basic security filters. Furthermore, the impersonated brand is well-known and trustworthy, which makes many people only check the HTTPS padlock without paying due attention to the complete domain. And, finally, the decoys are usually very common situations, such as account renewal, payment problems, or security verification," warns Lopez. From ESET they assure that this practice is frequent and has a presence in Latin America. Below, they present two real cases of compromised pages of SMEs in the region: · Dental Center of Chile: A center specializing in dentistry in the Fifth Region of Chile had its website compromised, which was used by cybercriminals to host fake sites that simulate being Spotify to steal financial information and access data from their victims. It is evident how cybercriminals manage to imitate the visual identity of Spotify (hosted on the dental center's website), so that victims believe they are actually entering the legitimate site. There, access credentials are requested. Once the victim enters their bank details, the page remains in a waiting state, with the promise of processing the request. The truth is that this information traveled directly to the cybercriminals' servers. · Tire company from Argentina: Another example of this malicious practice involves the website of an Argentinian company that sells tires. In this case, the fake site seeks to obtain the victims' Spotify login credentials. "These campaigns generate a double-victim scenario: the deceived user and the SME whose website was compromised. Therefore, the consequences can be very dangerous for users, and for small and medium-sized businesses," highlights the researcher from ESET Latin America. Some of the consequences for users can be: · Theft and reuse of credentials: Stolen credentials can be sold or reused on other services, especially if the user repeats passwords on different platforms. · Financial fraud: With the card details in their possession, cyber attackers can make purchases, unauthorized subscriptions or resell the information on clandestine markets. · Loss of account control: a compromised account can be used to send spam, commit scams to contacts or access the personal information stored. · Leakage of personal data: The exposure of information such as name, email, habits and other information associated with the account can facilitate subsequent targeted attacks. To identify this scam and reduce the risk of being a victim, ESET shares some key points to consider. The first step would be to always verify the full domain before entering personal or financial data, as well as distrust any link that arrives unexpectedly by mail or messages. Also as extra tools, it is recommended to use a password manager, which does not autocomplete on fake domains and activate two-factor authentication whenever possible.

On the other hand, some of the consequences for SMEs include:

· Damage to your reputation: The site becomes associated with fraud or scams, which can directly impact the trust of your customers and business partners. · Blocking by browsers and search engines: A compromised domain can be marked as dangerous, which affects your SEO positioning and the arrival of legitimate traffic. · Remediation costs: Money expenses are generated associated with cleaning the site, investigating the incident, restoring backups and implementing security measures. · Legal and regulatory risk: The exposure of personal data or failure to comply with security measures can lead to sanctions or legal liabilities. · Recurrence of the attack: If the initial vulnerability is not corrected, the site may be compromised again and reused by other malicious actors. Regarding SMEs and the protection of their sites, ESET mentions that there are several good practices such as keeping CMS, plugins, and servers updated. It is always advisable to use unique passwords and two-factor authentication for administrative access and to implement web security solutions and integrity monitoring. Finally, it is essential to conduct periodic audits of the site. "This type of threat highlights a structural problem: small and medium-sized businesses do not always have the resources or cybersecurity maturity necessary to protect themselves. When an SME does not protect its website, it can become (unknowingly) a key part of a fraud chain that affects hundreds of users. Faced with this scenario, prevention requires a shared approach: users must adopt basic verification habits before entering sensitive data, while SMEs need to assume that the security of their website is a critical component of their reputation and digital trust," concludes Martina López from ESET.