Crescent Mold? Hacks of Eagles?

I’ve been hacked! Or to be more accurate, someone used a compromised email and password combination to login to my Spotify account. No harm done so far, my credit card details are not visible, and nothing seems amiss other than a very strange collection of “Recently Played” music. I have decided to highlight the hack for two reasons. Firstly, it’s always good to revisit computer and password security, a topic that has been of great interest to me over the years. But perhaps more importantly, I suspect that this hack was part of an ongoing effort to fraudulently obtain money from Spotify by getting hacked accounts to play fake bands. More on that in the second part of the post.

Password security

This is not the first time that one of my accounts has become vulnerable. Some years ago I had an incident with Skype, in which a hacker used my login to purchase call time, until the account was frozen. Thankfully, Microsoft returned all the money to my credit card, but since then I have been using a password authenticator and generator. All of my most important accounts are secured with uniquely generated passwords; I also try to use 2-factor authentication wherever possible in every important service, such as banks, email, and social media. I keep a set of insecure passwords that I use on websites in which I never expect any security: mostly forums and other websites where no secure payment and/or personal information is stored. I also use an old Hotmail email address specifically for logins. For the most part this strategy has worked quite well. However, I recently noted that the Hotmail account was listed in various data breaches, these are notified using the service Have I Been Pwned, which notifies you whenever your address is listed in an attack. This prompted me to make sure that my most important accounts were secure, but I was remiss in a few services.

What happened is that one password that I sometimes reused for services for which I need to remember the password was part of the Verifications.io breach. I hadn’t realised it at the time, but I was also using that same password in streaming sites because I need to enter it in devices such as phones and TVs (and also to share with my family). I just found out that I was using the same breached password in Spotify, Netflix, NowTV, and a few others. Needless to say, I have now changed all of the passwords, and I have even started changing a bunch of others to make sure everything is secure.

The moral of the story is that a password manager is not sufficient, you need to be using it consistently across all services. The silver lining of this breach is that I have started improving my passwords across the board.

Spotify scam

But perhaps the most interesting part of the breach has been that my account was being used to click on some dubious content. At first I assumed that my premium account had been hacked by someone who wanted to gain access to uninterrupted music for free. I started cleaning my “Recently Played” list, and my inner music geek became curious about the listening habits of my hacker. Interestingly, they did not only play the music with my account, they added these artists to my Followed artists as well.

At first I recognised a few names here and there, David Bowie, Taylor Swift, and Ariana Grande. But the bulk of plays were of artists I had never heard of. This made me feel old and out of touch. But then I noticed that some of the artist names were quite random, I saw “Rome Osiris”, “Gaia Genesis”, “Morrowmug Rifters”, “Confidential Wyvern”, “Inside of Rose”, and “Luscious Mistakes”, just to name a few. These seemed to be names generated by some mediocre machine learning algorithm. The covers looked like they were taken from stock photography, there was never an artist pictured, and none of them had any bio infomration. All of the random acts had only one song (usually between 2.00 and 2:40 minutes long). I listened to a couple of songs, and most of the music was extremely bland, it could have been composed by an AI.  Despite having only one short song, these musicians were followed by thousands of people, and managed to get thousands of plays. There was never a bio, never an artist’s picture, and most songs were uploaded using self-publishing tools such as DistroKid.

I commented on Twitter the oddity of these names, and Rudolf van der Berg and others replied that this looked like some form of click fraud. It then hit me that this was indeed some sort of scam!

Apparently this is not new, last year a Bulgarian scamming operation managed to obtain $1 million USD from Spotify by using fake accounts to listen to music. This was spotted by music industry insiders, who noticed that a couple of playlists were extremely influential, reaching the Top 100 of plays on Spotify. The problem with these lists was that the songs that were played were extremely short, about .30 seconds, and involved unknown artists with very few follows. There were also only 1,200 users that were listening to these playlists all the time. Once they knew what they were looking for, the pattern was easy to spot.

With that in mind, I started looking at some of my hacker’s favourite musicians in more detail, and found some interesting commonalities. The first is that the artists all have only one song, and as I mentioned, both the name of the song and the musician’s name are extremely random. The length of the song is almost always around 2:30 minutes, and the artists never had any bio or face pictures, only landscapes.

Take “Confidential Wyvern”, who manage to have 23k listeners per month, but they have only one 2:23 minutes long song called “Manifesting Hendrix”. With only that one song, they manage 20k followers, which seems extremely suspicious. That’s an impressive level of engagement! Moreover, the song “Manifesting Hendrix” has managed an astounding 256k plays on Spotify. To offer some contrast with a real group, one of my favourite artists is Kumbia Queers, a punk band from Argentina. They have 27k monthly listeners, and one of my favourite songs is “Feriado Nacional“, which has only 186k plays on Spotify. While Kumbia Queers is a niche act, they have several albums and dozens of songs in their catalogue, and it makes no sense that “Confidential Wyvern” would have a similar number of monthly listeners.

For such a confidently popular band, they do not appear to have any presence in Google. A search result only throws their presence on Spotify, but nothing else: no artist page, no Soundcloud, no evidence of gigs or any other activity. It’s almost as if they do not exist in reality.  Other artists produced some interesting patterns as well. Morrowmug Rifters have uploaded their delightfully named “Crescent Mold” to Youtube, but their video has only managed only 4 views:

 However, “Crescent Mold” seems to be much more popular on Spotify than Youtube, managing an astounding 17k streams:

Every suspicious artist that I looked at shared this pattern. Take the song “Above Society” by “Gaia Genesis”, which managed to accrue an incredible 244k plays. Needless to say, there is no Internet presence for this band, if you search for the name, the top hit is a pack for the popular Japanese card game Yu-Gi-Oh!

I became curious about the cover art for this song, as “Above Society” has a very pretty beach in it. Running a TinEye image search I found that the cover was taken from an Adobe stock photograph of the seashore in Latvia. I did not run a search on other images, but I would not be surprised if they came from some sort of Adobe stock photography package, maybe even using a hacked Adobe account.

Finally, I also found some interesting information about the way in which the scam operates, and it seems to be cyclical. Searching for information on the song “Hacks of Eagles”, I found it listed in last.fm’s scrobbler. This is an extremely useful tool that allows users to keep track of what they have played. Hacks of Eagles shows up in the scrobbler data late last year, then it goes quiet, and it shows up again recently. My guess is that the scammers recycle the plays to avoid detection.

I do have a last.fm account, and interestingly it was still connected to my Spotify account, so I managed to learn that the hack possibly started on January 11, when the first batch of unrecognised artists shows up. I have to admit that “Poison Miscreant” by “Pivotal Palindrome Metals” is a hell of a song and artist combination. I also like “Escaping Athena”. Needless to say, I’m ashamed that I did not discover the hack sooner, I have been mostly listening to Spotify while playing games, and I did not look in detail at my artists and Follow lists.

Conclusion

The scam appears to be clear. Hack premium accounts that are not used often, and use them to play music from a large playlist of non-existent artist that have been uploaded using self-publishing tools. The scammers collect royalties from these plays, and profit handsomely. Given that Spotify pays between $0.006 and $0.0084 per play, a song like “Above Society” would have obtained between $1400 and $2,000 USD. Assuming that there are no intermediaries, most of this would have gone to the scammers. With over 250k plays, “Crescent Mold” could have also managed to make over $2,000 USD. These are only two of the fake artists that I uncovered, and one has to assume that there could be thousands of such songs.

In an age of self-publishing and user-generated content, it’s not a surprise that some will abuse the system for their own profits. The question now is whether Spotify can act against these hackers.

Update

Looking further at my last.fm scrobbler stats, the hack took place in August 12 2019, practically six months ago! The bands played since then include: Empathetic Canyon, Definitive Forfeit, Anamorphic Radio, Reality Kraken, Monk Hacks, Sensitive Kratos, and Tall Gaia (lots of Gaias and Osiris in the list).

If any of these songs reaches 250k plays as the others above, we’re talking about a potential gold mine.

By the way, Spotify have acted really well during the entire thing, giving clear instructions on what to do to secure the account again.

Update 2

I made a data protection subject access request (SAR), and looking in detail at my data I found some really interesting stuff. My account was used to play over 1000 songs since August 12 2019, all random music with some few legitimate artists thrown in from time to time. That only translates to around $8 USD (not even the cost of a monthly subscription), but I am guessing that there are thousands and thousands of compromised accounts. It’s a numbers game.

Categories: Hacking

4 Comments

Anonymous · February 19, 2020 at 3:19 pm

Justo me acaba de pasar lo mismo!

Marta · February 22, 2020 at 12:12 pm

Hats off! What an elaborate scam! Feels like this should be made into a CSI episode.

S · February 22, 2020 at 2:08 pm

Me pasó ayer. Una diferencia es que las bandas que escuchaban eran legítimas. Spotify se da bien para estas cosas porque es uno de los servicios populares más antiguos que existen (menos gente pensaba en tener contraseñas fuertes entonces) – mi cuenta es de hace casi 10 años. Mucha gente utiliza Facebook authentication para entrar, por lo cual uno se olvida de la contraseña después de un tiempo. Grave falta de Spotify no utilizar 2-step authentication (ya es hora!)…

News of the Week; February 19, 2020 – Communications Law at Allard Hall · March 2, 2020 at 8:41 am

[…] Anatomy of a Spotify scam (Andres Guadamuz) […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: