The phishing campaign was discovered earlier November, attackers used convincing emails to trick Spotify users into providing their account credentials.
The messages include a link that points to phishing websites that prompt users into entering their username and password. Attackers use them to compromise the Spotify accounts and any other account on other services that share the same credentials.
“Recently, AppRiver detected a phishing campaign that was targeting Spotify customers by email with the purpose of hijacking the owner’s account.” reads the analysis published AppRiver.
“The attacker attempted to dupe users into clicking on a phishing link that would redirect them to a deceptive website. Once at the site, users were prompted to enter their user name and password (surprise!), giving the attacker the ability to hijack the account.”