Over the past few months, Tech Support scammers have been using the Spotify forums to inject their phone numbers into the first page of the Google & Bing search results. They do this by submitting a constant stream of spam posts to the Spotify forums, whose pages tend to rank well in Google.
While this behavior causes the Spotify forums to become harder to use for those who have valid questions, the bigger problem is that it allows tech support scammers to rank extremely well and trick unknowing callers into purchasing unnecessary services and software.
BleepingComputer was alerted to this problem by security researcher Cody Johnston who started to see an alarming amount of tech support scam phone numbers being listed in Google search results through indexed Spotify forum posts. The tech support scams being posted to Spotify include Tinder, Linksys, AOL, Turbotax, Coinbase, Amazon, Apple, Microsoft, Norton, McAfee and more.
On September 25th, Cody reached out to Spotify's Twitter account, but never heard back.
Tech Support Scammers are using Spotify accounts to get their scams close to the top of Google search results. pic.twitter.com/EabMrKwY26— Cody Johnston (@AdwareHunter) September 25, 2017
It wasn't until December 1st, after another tweet to Spotify, that he received a response with a link to a Spotify forum post that acknowledges the problem Spotify is having and that they are trying to fix it.
While it is good that Spotify recognizes that there is a problem, it still has not been resolved over a month later as support scammers are still rampant on the Spotify forums with multiple spam posts being posted every minute.
After examining the Spotify forums, I noticed two problems with their current configuration that allow spammers to take advantage of their forums.
First, they utilize Google's reCAPTCHA service, which is a great first step, but has already been shown that it can be bypassed by automated tools that can solve image and audio challenges. As the Spotify forums rely heavily on reCAPTCHA as their main point of defense, we already have a problem.
The biggest issue, though, is that they do not require email verification before allowing a user to post. This means that a spammer can use automated tools to generate accounts using fake email addresses and still be able to post in the forums. I tested this by creating an account on the Spotify forums and being able to post a new topic before verifying my email address.
From my experiences running a busy forum for 13 years, email verification is one of the most important steps to prevent forum spam. As Lithium, the provider used to power Spotify's forums, has the setting to require email verification before a user can post, it is unknown why Spotify does not appear to have it enabled.
BleepingComputer has reached out to Spotify with questions related to this story and has not heard back at the time of publication.