Today, I foolishly clicked a link in an email I received from Spotify without checking the URL first. It was all due to timing and how the login from the fake site works. I did a simple investigation and found interesting things.
I am subscribed to Spotify Family, Philippines pricing of ₱195 per month. Today, the 9th of July is renewal day. However, my payment method, Globe‘s GCash had a maintenance that ended at eight (8) this morning.
The Spotify email I received had the subject “Your Spotify subscription is paused” and the time was within the GCash maintenance. I was confident at that point because it was not the first time this happened. So even though I was starting to have doubts after reading the email, I still clicked the link to fix the subscription, and then logged-in.
I typed the wrong username first, and the login failed. After typing the correct username, I was logged-in successfully. My doubts started to build because I can not see the option to renew my Family subscription. But since I am connected to a VPN network, it was detecting me not from the Philippines but from somewhere else. After disconnecting the VPN and manually changing the URL to Spotify’s Philippine site, I noticed the URL was not spotify.com.
I immediately changed my password after confirming nothing was downloaded, and clicked Spotify’s “logout all sessions”. Investigation begins…
According to Domaintools.com, the domain SpoTlTy was registered on 2017-06-06, only last month. Details on the domain are hidden because the owner purchased a “Domain Privacy” feature. But we know the registrar is CrazyDomains, and the site is behind CloudFlare. I reported the domain to CloudFlare.
Next, I viewed the complete email header and this is where it got very interesting. The email came from @spotify.happyplus.com.ph. Does it mean Jollibee‘s Happyplus sent the email? Yes or no.
- No, because a phisher might have chosen their domain name and Happyplus is a victim as well
- Yes, because I remembered that I attached my Spotify to my Happyplus account. But I never activated the automatic payment option (I probably even removed it). I logged in to Happyplus today and the Spotify option is no longer available. Now, I am not sure if I remembered correctly at all!
In addition to the above, the email used Google Shortener to hide the real domain name (goo.gl / YEYuGa). It is possible it was for click-tracking purposes, companies who want to save money or quickly send email newsletters, often use URL shorterners.
If Jollibee was a Victim
This could have been avoided if Jollibee’s developers properly setup the records on the happyplus.com.ph domain. The technology has been around for years. We have DMARC and DKIM TXT records to combat unwanted use of domain names by phishers and spammers.
But I have doubts since the email header shows it came from their server hosted by AWS located in Singapore.
If Happyplus did send the email
Two comments only, never ever send an email on behalf of another online service! Never ever create a copy of another service’s website!
However, if this was with Spotify’s approval, then Spotify must change their process immediately. This type of system is totally unacceptable. All logins to Spotify must happen on spotify.com only. They can implement OAuth2 and have users authorise third-party access from the spotify.com domain name.
Most importantly, Spotify must implement Two-Factor Authentication. We are paying for the service, it is only appropriate that our accounts are protected with extra layers. The last thing we want to happen is for our account to be terminated… permanently.
Jollibee could be a victim here but based on the email header, the mail was sent from their AWS server located in Singapore. If they did not, then were they hacked? Are our Happyplus card and private information compromised? I hope not.
If they did send the email, the question I want answered by Jollibee is why are they redirecting to a fake Spotify login site? Is Spotify aware of this? Is this Spotify’s standard operating procedure?
This “style” is completely the style of phishers and scammers. They will create their own version of an online service’s login page, spam emails, and trick people to enter their username and passwords.
I want to hear from Jollibee and Spotify on this matter. Below you will find all the screenshots I took. I also reported the domain name to as many as I can because this method or practice is not acceptable. The domain SpoTlTy is a fake Spotify login site. Do not justify it.
Fake Spotify Login Site, Was Happyplus Compromised? by Yuki is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. Permissions beyond the scope of this license may be available at Legal Notice.