Spotify Customers Face Malvertizing Attacks

March 28, 2011 - PRLog -- Websites rely on third party advertisements to offer free services to the customers.  Advertisements may come in the form of pop-up ads, banner ads, floating ads and video ads among several others. However, these advertisements could be misused by cybercriminals to install malware in user's computers. Recently, cybercriminals targeted Spotify user's with malvertizing attacks. In case of malvertizing, attackers insert or modify a code in the advertisement to exploit flaws in web browser code. They avail the services of popular online advertising networks for propagating the malware.  Spotify is a popular online music service in European countries. Users of the free ad-supported version have the facility to listen to their favorite songs online. When unwary users clicked on some of the third party advertisements placed on the site, they also inadvertently downloaded malware on their computer systems. Attackers reportedly exploited a Java vulnerability to insert malicious code into vulnerable systems. The advertisements with malicious code may entice users with attractive offers, interesting news article, free downloads and fake anti-virus software.  When users click on the links placed in the advertisements, they may also be redirected to fake website or require users to download software to view the advertisement. Internet security firm Sophos has also reported the existence of a malware spreading advertisement on Facebook, which was quickly rectified by the social networking site.

Attackers may exploit vulnerabilities in website through malvertizing, drive-by malware, SQL injection and iframe injection attacks. Website owners must review the security of the website regularly to identify vulnerabilities and threat vectors. They must also verify the procedures followed by third party advertising networks to evade malicious links and misuse of advertisements. Employees could be educated on various online threats, preventive and remedial measures through training sessions, refresher courses, online university degree and e-learning programs.

Online service providers may avail the services of IT professionals qualified in secured programming, masters of security science and security certifications to strengthen the defenses against online threats. Organizations may install web filtering technologies to prevent unintentional download and propagation of malware in computer systems and networks.

They must install and regularly update anti-virus and anti-malware solutions. Security software must be downloaded directly from the website of a legitimate developer rather than by clicking on links in pop-ups. They must be wary of visiting unknown third party sites to download software. Users must constantly update software products to avoid exploitation of vulnerabilities. They must be wary of clicking on third-party advertising links on websites. E-brochures, videos and online degree programs could be used to enlighten Internet users on different security threats and Internet safety tips.

Contact Press

EC-Council
Website:  http://www.eccouncil.org
Email:  iclass@eccouncil.org
Tel:  505-341-3228

EC-Council University is based in Albuquerque, New Mexico and offers Master of Security Science (MSS) degree to students from various backgrounds such as graduates, IT Professionals, and military students amongst several others. The MSS is offered as a 100% online degree program and allows EC-Council University to reach students from not only the United States, but from all around the world.

EC-Council is a member-based organization that certifies individuals in cybersecurity and e-commerce skills. It is the owner and developer of 16 security certifications, including Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT). Its certificate programs are offered in over 60 countries around the world.

EC-Council has trained over 80,000 individuals and certified more than 30,000 members, through more than 450 training partners globally. These certifications are recognized worldwide and have received endorsements from various government agencies including the U.S. federal government via the Montgomery GI Bill, Department of Defense via DoD 8570.01-M, National Security Agency (NSA) and the Committee on National Security Systems (CNSS). EC-Council also operates the global series of Hacker Halted security conferences.

# # #

iClass is EC- Council's online training delivery platform. Students can attend live, or recorded training sessions for courses such as Certified Ethical Hacker (CEH), Certified Security Analyst (ECSA) or Computer Hacking Forensic Investigator (CHFI).