Fake Spotify Login Site, Was Happyplus Compromised?

recent Security

Today, I foolishly clicked a link in an email I received from Spotify without checking the URL first. It was all due to timing and how the login from the fake site works. I did a simple investigation and found interesting things.

What happened?

I am subscribed to Spotify Family, Philippines pricing of ₱195 per month. Today, the 9th of July is renewal day. However, my payment method, Globe‘s GCash had a maintenance that ended at eight (8) this morning.

The Spotify email I received had the subject “Your Spotify subscription is paused” and the time was within the GCash maintenance. I was confident at that point because it was not the first time this happened. So even though I was starting to have doubts after reading the email, I still clicked the link to fix the subscription, and then logged-in.

I typed the wrong username first, and the login failed. After typing the correct username, I was logged-in successfully. My doubts started to build because I can not see the option to renew my Family subscription. But since I am connected to a VPN network, it was detecting me not from the Philippines but from somewhere else. After disconnecting the VPN and manually changing the URL to Spotify’s Philippine site, I noticed the URL was not spotify.com.

I immediately changed my password after confirming nothing was downloaded, and clicked Spotify’s “logout all sessions”. Investigation begins…

The Investigation

According to Domaintools.com, the domain SpoTlTy was registered on 2017-06-06, only last month. Details on the domain are hidden because the owner purchased a “Domain Privacy” feature. But we know the registrar is CrazyDomains, and the site is behind CloudFlare. I reported the domain to CloudFlare.

Next, I viewed the complete email header and this is where it got very interesting. The email came from @spotify.happyplus.com.ph. Does it mean Jollibee‘s Happyplus sent the email? Yes or no.

  • No, because a phisher might have chosen their domain name and Happyplus is a victim as well
  • Yes, because I remembered that I attached my Spotify to my Happyplus account. But I never activated the automatic payment option (I probably even removed it). I logged in to Happyplus today and the Spotify option is no longer available. Now, I am not sure if I remembered correctly at all!

In addition to the above, the email used Google Shortener to hide the real domain name (goo.gl / YEYuGa). It is possible it was for click-tracking purposes, companies who want to save money or quickly send email newsletters, often use URL shorterners.

If Jollibee was a Victim

This could have been avoided if Jollibee’s developers properly setup the records on the happyplus.com.ph domain. The technology has been around for years. We have DMARC and DKIM TXT records to combat unwanted use of domain names by phishers and spammers.

But I have doubts since the email header shows it came from their server hosted by AWS located in Singapore.

If Happyplus did send the email

Two comments only, never ever send an email on behalf of another online service! Never ever create a copy of another service’s website!

However, if this was with Spotify’s approval, then Spotify must change their process immediately. This type of system is totally unacceptable. All logins to Spotify must happen on spotify.com only. They can implement OAuth2 and have users authorise third-party access from the spotify.com domain name.

Most importantly, Spotify must implement Two-Factor Authentication. We are paying for the service, it is only appropriate that our accounts are protected with extra layers. The last thing we want to happen is for our account to be terminated… permanently.

Conclusion

Jollibee could be a victim here but based on the email header, the mail was sent from their AWS server located in Singapore. If they did not, then were they hacked? Are our Happyplus card and private information compromised? I hope not.

If they did send the email, the question I want answered by Jollibee is why are they redirecting to a fake Spotify login site? Is Spotify aware of this? Is this Spotify’s standard operating procedure?

This “style” is completely the style of phishers and scammers. They will create their own version of an online service’s login page, spam emails, and trick people to enter their username and passwords.

I want to hear from Jollibee and Spotify on this matter. Below you will find all the screenshots I took. I also reported the domain name to as many as I can to hopefully get it blocked immediately.

This slideshow requires JavaScript.

Donations for the magus

  • XLM (Stellar Lumens) 🚀🪐17: yukino*keybase.io XLM (Stellar Lumens) 🚀🪐17: yukino*keybase.io
    • XLM memo/tag (optional): for techmagus.icu
    • Highly preferred
  • ZEC (Zcash) Z0.03: t1W7HusjBAXgquM7YHu6xDUEBejmYPKU2HC ZEC (Zcash) Z0.03: t1W7HusjBAXgquM7YHu6xDUEBejmYPKU2HC
  • XRP (Ripple) X5: rU2mEJSLqBRkYLVTv55rFTgQajkLTnT6mA XRP (Ripple) X5: rU2mEJSLqBRkYLVTv55rFTgQajkLTnT6mA
    • XRP memo/tag (required): 246013
  • STEEM: yahananxie STEEM: yahananxie
  • ETH_smartcontract (Etherium) Ξ0.007: 0x739d2aae2a5b7a4e1d64c58d121c9d908d706c83 ETH_smartcontract (Etherium) Ξ0.007: 0x739d2aae2a5b7a4e1d64c58d121c9d908d706c83
    • Gas: please use at least 35,000
    • Do not send non-smartcontract ΞTH and ERC20 tokens to this address.
  • ETH_ERC20 (Etherium) Ξ0.007: 0xB127362Dc268B63cE22E697344D2c51e673f18B6 ETH_ERC20 (Etherium) Ξ0.007: 0xB127362Dc268B63cE22E697344D2c51e673f18B6
    • Accepts non-smartcontract transactions and ERC20 tokens (in particular: AWC, ENJ, PAX, TUSD, USDC)
  • BCH (Bitcoin cash) ₿CH0.004: pp8fkmchlu6a7c53a2s682jd70mncrzemsthca6ftl BCH (Bitcoin cash) ₿CH0.004: pp8fkmchlu6a7c53a2s682jd70mncrzemsthca6ftl
  • XBT (Bitcoin core) ₿0.0002: 32w1De4wvr5jEzC4g5P4rkjvqg2bvMR8Vk XBT (Bitcoin core) ₿0.0002: 32w1De4wvr5jEzC4g5P4rkjvqg2bvMR8Vk
Summary
Fake Spotify Login Site, Was Happyplus Compromised?
Article Name
Fake Spotify Login Site, Was Happyplus Compromised?
Description
After foolishly clicking a Spotify link in an email without checking, interesting information was discovered after a simple investigation.
Author
Publisher
techmagus™

CC BY-SA 4.0 Fake Spotify Login Site, Was Happyplus Compromised? by ᜌᜓᜃᜒ (Yuki|雪亮) is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. Permissions beyond the scope of this license may be available at Legal Notice.

Leave a Reply

labox