Content streaming services are no stranger to cyberattacks, and the recent Spotify squatting campaign reported by IBM X-Force Exchange is proof of that. Spotify, however, is not alone on the boat, as many other streaming services have fallen prey to attacks over the years.

This post seeks to find out how big the potential domains & subdomains attack surface of the top 10 music streaming services might be.

Top 10 Music Streaming Services

We begin our analysis by identifying today’s top music streaming services and found that these are LiveXLive, SiriusXM, Spotify, Tidal, Amazon Music, Deezer, Qobuz, YouTube, Apple Music, and iHeartRadio.

To determine their potential attack surface sizes, we used Domains & Subdomains Discovery to know how many domains and subdomains contain their brand or company names.

How Big Is Their Potential Attack Surface?

We used the strings “livexlive,” “siriusxm,” “spotify,” “tidal,” “amazonmusic,” “deezer,” “qobuz,” “youtubemusic,” “applemusic,” and “iheart” as search terms on Domains & Subdomains Discovery. A total of 30,382 domains and subdomains was collated (18,318 domains and 12,064 subdomains), including those with typographical errors. Note that while some of these could be false positives, the resulting numbers could be indicative of the volume of threat vectors that could be used to target the music streaming services’ customers. A breakdown of the domain and subdomain volume for each provider is shown below.

To gauge each company’s potential attack surface, we compared the registrant information of the resulting domains and subdomains with those of the companies’ as shown in their publicly accessible WHOIS records. Some like those for LiveXLive, Tidal, and Deezer couldn’t be further analyzed since their WHOIS records are redacted.

Of the remaining 17,834 domains and subdomains, only 8% (1,420 web properties) are publicly attributable (they share the same registrant organization) to the companies or services whose brands or names appear in them. Details for each service are shown below.

Besides the cases where those organizations may decide to redact the WHOIS records of domains that may be part of their anti-cybersquatting/typosquatting strategies, threat actors could use the non-attributable web properties. For instance, scammers may spoof the employees of the organizations to trick their subscribers to install malware in the guise of legitimate applications into their computers, visit sites that are actually malware hosts, or give out their personally identifiable information (PII). These phishing techniques could lead to data theft or even a large-scale breach of the companies’ networks.

Notable examples (web properties that could easily be confused as legitimate pages of the organizations) from among the non-publicly attributable domains are:

• Getsiriusxm[.]com, gosiriusxm[.]com, and lifetimesiriusxmsubscription[.]com for SiriusXM
• Account-spotify[.]net, account-spotify[.]com, and accountspotify[.]ir for Spotify
• Amazonmusic[.]be, amazonmusic[.]bg, and amazonmusic[.]cn for Amazon Music (Note that the real Amazon Music site uses the subdomain music[.]amazon[.]com.)
• Qobuz[.]cc, qobuz[.]co[.]uk, and qobuz[.]com.cn for Qobuz
• Downloadyoutubemusic[.]com, mp3youtubemusic[.]com, and youtubemusic[.]info for YouTube Music (Note that the real YouTube Music sites uses the subdomain music[.]youtube[.]com.)
• Applemusic-login.com, applemusic-verify.com, and applemusic.org for Apple Music (Note that the real Apple Music site uses the subdomain music[.]apple[.]com.)
• Iheartradio-ct[.]com, iheartradioadvertisingsales[.]com, and iheartradio[.]net for iHeartRadio.

It’s also worth noting that some of the domains and subdomains are tagged “malicious” and “suspicious” on VirusTotal. Examples of suspicious domains include:

• xn—srusxm-3vab[.]com
• xn—sirusxm-1ya[.]com
• siriusxms[.]com
• playersiriusxm[.]com
• spotify[.]ga
• youtubemusicvideo[.]cf
• youtubemusicdownloader[.]xyz
• youtubemusic.escutai[.]com
• applemusic[.]ga
• applemusics[.]tk
• applemusic[.]com
• iiheartradio[.]com
• iheartradion[.]com

The following, meanwhile, are examples of malicious domains:

• siriusxmradioinc-mid-prod1-madobe-campaign[.]com
• spotify[.]cm
• spotify[.]ci
• spotify[.]vg
• xn—sptify-xxa[.]com
• amazonmusic[.]page
• amazonmusicmaker[.]com
• amazonmusicunlimited[.]top
• amazonmusicunlimited[.]xyz
• amazonmusicunlimited[.]club
• youtubemusicdownloader[.]us
• applemusic[.]xn—9dbq2a
• applemusic[.]bid
• iheartradio[.]club
• iheartradio[.]tlnk[.]io

It’s best to block access to and from these suspicious and malicious web properties to avoid malware infection and other threats.

Based on the results we obtained from Domains & Subdomains Discovery, we can conclude that a huge majority (92%) of the web properties containing the brands or names of the top 10 music streaming services are not publicly attributable to them. Threat actors often spoof the most popular brands to steal data or worse from victims’ computers and other devices. And the more subscribers a service has, the more likely its popularity will be abused in cyber attacks. Such is Spotify’s case, for instance, which has the biggest subscriber base at 155 million and also the highest number of non-publicly attributable domains and subdomains.

Interested in doing similar research for your company or independently? We may be able to help. If you’d like to get the same kind of data or partner with us, contact us.